CVE-2021-41293

ECOA BAS controller - Path Traversal-3

Basic Information

CVE State
PUBLISHED
Reserved Date
September 15, 2021
Published Date
September 30, 2021
Last Updated
September 16, 2024
Vendor
ECOA
Product
ECS Router Controller ECS (FLASH), RiskBuster Terminator E6L45, RiskBuster System RB 3.0.0, RiskBuster System TRANE 1.0, Graphic Control Software, SmartHome II E9246, RiskTerminator
Description
ECOA BAS controller suffers from a path traversal vulnerability, causing arbitrary files disclosure. Using the specific POST parameter, unauthenticated attackers can remotely disclose arbitrary files on the affected device and disclose sensitive and system information.
Tags
nuclei_scanner edge

CVSS Scores

CVSS v3.1

7.5 - HIGH

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS v2.0

5.0

Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N

EPSS Score

Score
88.50% (Percentile: 99.46%) as of 2025-06-30

Exploit Status

Exploited in the Wild
Yes (2025-06-20 00:00:00 UTC) Source

Known Exploited Vulnerability Information

Source Added Date
The Shadowserver (via CIRCL) 2025-06-21 12:00:50 UTC

Scanner Integrations

Timeline

  • CVE ID Reserved

  • CVE Published to Public

  • Detected by Nuclei

  • Added to KEVIntel