go to Content

TWCERT/CC Taiwan Computer Emergency Response Team/Coordination Center


ASUS BMC's firmware: path traversal - Delete SOL video file function

TVN ID TVN-202103032
CVE ID CVE-2021-28205
CVSS 4.9 (Medium)
Affected Products BMC's firmwares:
Z10PR-D16 1.14.51
ASMB8-iKVM 1.14.51
Z10PE-D16 WS 1.14.2
Description The specific function in ASUS BMC’s firmware Web management page (Delete SOL video file function) does not filter the specific parameter. As obtaining the administrator permission, remote attackers can use the means of path traversal to access system files.
Solution update BMC's firmwares to the following versions:
Z10PR-D16 1.16.1
ASMB8-iKVM 1.16.1
Z10PE-D16 WS 1.16.1
Credit ASUS
Public Date 2021-04-06