CVE-2021-47726
Unknown Unknown - Not Provided
Privilege Escalation in NuCom 11N Router via Backup Endpoint

Publication date: 2025-12-31

Last updated on: 2025-12-31

Assigner: VulnCheck

Description
NuCom 11N Wireless Router 5.07.90 contains a privilege escalation vulnerability that allows non-privileged users to access administrative credentials through the configuration backup endpoint. Attackers can send a crafted HTTP GET request to the backup configuration page with a specific cookie to retrieve and decode the admin password in Base64 format.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-31
Last Modified
2025-12-31
Generated
2026-06-16
AI Q&A
2025-12-31
EPSS Evaluated
2026-06-15
NVD
CVE-2021-47726
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
nuevas_comunicaciones_iberia nucom_11n_wireless_router 5.07.89
nuevas_comunicaciones_iberia nucom_11n_wireless_router 5.07.72
nuevas_comunicaciones_iberia nucom_11n_wireless_router 5.07.90
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-522 The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Detection Guidance

This vulnerability can be detected by sending a crafted HTTP GET request to the router's configuration backup endpoint `/cgi-bin/DownloadNoMacaddrCfg/RouterCfm.cfg` with a specific cookie `ecos_pw=dXNlcg==1311930653:language=en`. Using a command like `curl` to perform this request can reveal the admin credentials encoded in Base64 under the parameter `http_supper_passwd`. Decoding this Base64 string will show the admin password in plaintext, confirming the vulnerability. An example command is: `curl -s -H "Cookie: ecos_pw=dXNlcg==1311930653:language=en" http://<router-ip>/cgi-bin/DownloadNoMacaddrCfg/RouterCfm.cfg | grep http_supper_passwd` [3]

Mitigation Strategies

Immediate mitigation steps include restricting access to the router's configuration backup endpoint to trusted users only, changing default user credentials to strong, unique passwords, and applying any available firmware updates or patches from the vendor. Additionally, monitoring network traffic for suspicious HTTP GET requests to the backup endpoint and disabling remote management if not needed can reduce exposure. [1, 4]

Executive Summary

This vulnerability in the NuCom 11N Wireless Router version 5.07.90 allows a non-privileged user (default username and password: user/user) to escalate their privileges to administrator by sending a specially crafted HTTP GET request to the router's configuration backup endpoint. The request includes a specific cookie that causes the router to disclose the administrative credentials encoded in Base64. An attacker can decode these credentials to obtain the admin password in plaintext, enabling full administrative access to the router. [1, 3, 4]

Impact Analysis

An attacker exploiting this vulnerability can gain unauthorized administrative access to the NuCom 11N Wireless Router. This allows them to control the device, change configurations, potentially intercept or redirect network traffic, and compromise the security of the entire network connected to the router. Since the admin password is disclosed, the attacker can maintain persistent access and perform further malicious activities. [1, 3, 4]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2021-47726. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart