LiveActive security incident?Get immediate response
CVE Record

CVE-2021-4471: TG8 Firewall Unauthenticated User Password Disclosure

TG8 Firewall exposes a directory such as /data/ over HTTP without authentication. This directory stores credential files for previously logged-in users. A remote unauthenticated attacker can enumerate and download files within the directory to obtain valid account usernames and passwords, leading to loss of confidentiality and further unauthorized access.

HighCVSS 8.7Not KEV-listedUpdated
Glexia's TakeAutomated analysishigh

Security readout for executives and security teams

Plain-English summary

A TG8 Firewall leaves a directory of stored credentials reachable on the network without requiring a login. Anyone who can reach the device over HTTP can browse that folder and download usernames and passwords for accounts that have used the firewall, then reuse those credentials to gain further access.

Executive priority

Treat as high priority where TG8 Firewalls are in use, especially if any management interface is internet-reachable. Stolen credentials enable follow-on intrusion of the firewall and downstream systems, so isolate access now and begin planning replacement if vendor support is unclear.

Technical view

CWE-538 information exposure: the TG8 Firewall web service exposes a directory (e.g., /data/) containing per-user credential files without authentication. An unauthenticated remote actor can enumerate and retrieve these files to recover valid usernames and passwords. CVSS 4.0 score is 8.7 with a confidentiality-only impact (VC:H) and no required privileges or interaction.

Likely exposure

Any TG8 Firewall whose management or web interface is reachable from untrusted networks is exposed. Devices restricted to isolated management VLANs face lower direct exposure but still risk insider abuse. The vendor site is only available via web archive, suggesting limited current support.

Exploitation context

Not listed in CISA KEV. SSD Secure Disclosure published a public advisory describing the password disclosure alongside a related preauth issue, raising practical risk of opportunistic abuse. No confirmed in-the-wild campaigns are cited in the provided sources.

Researcher notes

CVSS 4.0 vector reflects confidentiality-only impact, but disclosed credentials commonly enable lateral movement and administrative takeover, particularly when paired with the related preauth RCE noted by SSD. Affected version data is incomplete (defaultStatus unknown, versions ["0"]); treat all TG8 Firewall deployments as potentially vulnerable until vendor confirmation is obtained.

Mitigation direction

  • Block all untrusted network access to the firewall's HTTP management interface immediately.
  • Restrict management to a dedicated VLAN reachable only from trusted admin hosts.
  • Contact TG8 or your reseller for current firmware guidance, since no fixed version is named in sources.
  • Rotate every credential that was usable on affected devices and invalidate reused passwords elsewhere.
  • If no vendor remediation is available, plan migration to a supported firewall platform.

Validation and detection

  • Inventory all TG8 Firewall appliances and record which interfaces expose HTTP services.
  • From an authorized test host, confirm whether /data/ or similar directories respond without authentication.
  • Review web and proxy logs for unauthenticated requests to credential-bearing paths.
  • Check authentication logs for logins from unusual sources following any suspected exposure window.
  • Confirm with the vendor whether a patched firmware build addresses CVE-2021-4471.
Prepared
Confidence
medium
Sources
5

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cwe · low confidence lookup

CWE-538: Exact CWE lookup

Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.

Open ATT&CK lookup
description · low confidence lookup

Credential and access behavior lookup

The CVE wording references authentication or credential exposure, so valid-account and credential-access review may help. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.

Open ATT&CK lookup
cve · low confidence lookup

CVE-2021-4471 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
High
CVSS
8.7 (4.0)
Known Exploited
No
Published

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

1CVSS vectors
0Timeline events
0ADP providers
4Source links

CVSS vector scores

1 official score

We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.

ScoreVersionSeverityVectorExploitImpactSource
8.7CVSS 4.0HighCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:NPrimary CVE score

Vulnerability scoring details

Base CVSS 4.0 score

8.7High
CVSS 4.0 vector shape for CVE-2021-4471Attack VectorAttack ComplexityAttack RequirementsPrivileges RequiredUser InteractionVS ConfidentialityVS IntegrityVS AvailabilitySS ConfidentialitySS IntegritySS Availability

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Attack Vector
NetworkAdjacentLocalPhysical
Attack Complexity
LowHigh
Attack Requirements
NonePresent
Privileges Required
NoneLowHigh
User Interaction
NonePassiveActive
VS Confidentiality
HighLowNone
VS Integrity
HighLowNone
VS Availability
HighLowNone
SS Confidentiality
HighLowNone
SS Integrity
HighLowNone
SS Availability
HighLowNone
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
TG8TG8 Firewall0unknown
Weakness

CWE details

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.

CWE-538 · source CWE mapping

Insertion of Sensitive Information into Externally-Accessible File or Directory

Insertion of Sensitive Information into Externally-Accessible File or Directory represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.