CVE-2021-47722
Unknown Unknown - Not Provided
CSRF Vulnerability in Zucchetti Axess CLOKI Access Control

Publication date: 2025-12-23

Last updated on: 2025-12-23

Assigner: VulnCheck

Description
Zucchetti Axess CLOKI Access Control 1.64 contains a cross-site request forgery vulnerability that allows attackers to manipulate access control settings without user interaction. Attackers can craft malicious web pages with hidden forms to disable or modify access control parameters by tricking authenticated users into loading the page.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-23
Last Modified
2025-12-23
Generated
2026-06-16
AI Q&A
2025-12-23
EPSS Evaluated
2026-06-15
NVD
CVE-2021-47722
EUVD
EUVD-2025-204820
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
zucchetti axess_cloki_access_control 1.63
zucchetti axess_cloki_access_control 1.64
zucchetti axess_cloki_access_control 1.54
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2021-47722 is a Cross-Site Request Forgery (CSRF) vulnerability in Zucchetti Axess CLOKI Access Control version 1.64. It allows attackers to manipulate access control settings by tricking authenticated users into loading malicious web pages containing hidden forms. These forms send unauthorized HTTP requests to the device, enabling attackers to disable or modify access control parameters without user interaction or proper validation. This can lead to unauthorized administrative actions such as authentication bypass and password changes. [1, 2, 3]

Impact Analysis

This vulnerability can impact you by allowing attackers to gain unauthorized control over your access control system. Specifically, attackers can disable or alter access control settings, bypass authentication, and change administrative account passwords by exploiting the CSRF flaw. This could lead to unauthorized physical access to secured areas, compromising security and potentially causing operational disruptions. [1, 2, 3]

Detection Guidance

This vulnerability can be detected by monitoring HTTP requests to the CLOKI Access Control web interface, specifically looking for unauthorized or suspicious POST requests to the redirect.cgi endpoint with parameters related to access control settings (e.g., flagAccessControlChanged, RAct, EnR, ExR, DenyRTout, DenyR, IType, E485, GType, TOO, TOC, TOOE, TOCE). Detection can involve capturing and analyzing web traffic for such requests, especially those originating from unexpected sources or without proper CSRF tokens. Since the vulnerability involves CSRF attacks, checking for the absence of CSRF tokens in requests and unusual changes in access control settings can help identify exploitation attempts. However, no specific commands are provided in the resources. [1, 3]

Mitigation Strategies

Immediate mitigation steps include restricting access to the CLOKI Access Control web interface to trusted networks and users only, educating users to avoid visiting untrusted or suspicious websites while authenticated, and implementing network-level protections such as web application firewalls to detect and block CSRF attack patterns. Additionally, monitoring and logging administrative actions can help detect unauthorized changes. Since the vulnerability arises from missing CSRF protections, applying any available patches or updates from the vendor is recommended, although no official response or patch was noted. If patches are not available, consider isolating the affected devices or disabling web management interfaces until a fix is applied. [1, 2, 3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2021-47722. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart