CVE-2020-21884: Unibox SMB 2.4 and UniBox Enterprise Series 2.4 and UniBox Campus Series 2.4 contain a cross-site request f...
Unibox SMB 2.4 and UniBox Enterprise Series 2.4 and UniBox Campus Series 2.4 contain a cross-site request forgery (CSRF) vulnerability in /tools/network-trace, /list_users, /list_byod?usertype=raduser, /dhcp_leases, /go?rid=202 in which a specially crafted HTTP request may reconfigure the device.
Security readout for executives and security teams
Plain-English summary
This flaw lets a malicious web request change settings on affected UniBox 2.4 systems if an administrator’s browser is in the right state. That can create business risk because network, user, BYOD, DHCP, or routing-related functions may be altered without clear intent.
Executive priority
Treat this as a targeted operational-risk item, especially for organizations relying on UniBox 2.4 for network administration. Prioritize inventory, management-interface restriction, and vendor guidance review. Escalate if devices are externally reachable or if unexpected configuration changes appear.
Technical view
CVE-2020-21884 is a cross-site request forgery issue in Unibox SMB 2.4, UniBox Enterprise Series 2.4, and UniBox Campus Series 2.4. Reported affected paths include /tools/network-trace, /list_users, /list_byod?usertype=raduser, /dhcp_leases, and /go?rid=202. A crafted HTTP request may reconfigure the device.
Likely exposure
Exposure is most likely where UniBox 2.4 web administration is used and administrators can browse untrusted content while authenticated. Internet-accessible management interfaces increase concern. The sources do not identify other affected versions, CPEs, CVSS score, or a vendor patch.
Exploitation context
The CVE is not listed as CISA KEV in the provided data, and the cited sources do not claim active exploitation. CSRF typically depends on an authenticated administrator’s browser being induced to send an unintended request, rather than direct unauthenticated device access.
Researcher notes
Public data is sparse: no CVSS, CWE, official affected CPEs, patch reference, or active-exploitation claim appears in the provided bundle. The Full Disclosure mirror and KSA advisory are the main technical references. Avoid assuming impact beyond device reconfiguration through the named endpoints.
Mitigation direction
Check vendor or maintainer guidance for fixed versions or configuration advisories.
Restrict UniBox management access to trusted administrative networks or VPN.
Educate administrators to avoid untrusted links while logged into UniBox.
Monitor configuration changes on affected devices for unexpected modifications.
Review administrative web functions for CSRF defenses before continued use.
Validation and detection
Inventory UniBox SMB, Enterprise Series, and Campus Series deployments.
Confirm whether any systems run version 2.4.
Identify whether the listed web paths are reachable by administrators.
Review access logs for unexpected requests to the listed paths.
Check change records for unexplained network, user, BYOD, DHCP, or routing changes.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2020-21884 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
0CVSS vectors
3Timeline events
1ADP providers
4Source links
Vulnerability timeline
Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.
CVE reservedCVE Program
The CVE ID was reserved by the assigning CNA.
CVE publishedCVE Program
The CVE record was published.
Apr 9, 2021, 12:19 UTC (UTC+00:00)
CVE updatedCVE Program
The CVE record metadata indicates this as the latest update time.