LiveActive security incident?Get immediate response
CVE Record

CVE-2021-45418: Certain Starcharge products are vulnerable to Directory Traversal via main.cgi.

Certain Starcharge products are vulnerable to Directory Traversal via main.cgi. The affected products include: Nova 360 Cabinet <=1.3.0.0.6 - Fixed: 1.3.0.0.9 and Titan 180 Premium <=1.3.0.0.7b102 - Fixed: Beta1.3.0.1.0.

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysisunknown

Security readout for executives and security teams

Plain-English summary

CVE-2021-45418 is a directory traversal issue in main.cgi affecting specific Starcharge Nova 360 Cabinet and Titan 180 Premium firmware versions. It may let an unauthorized user access files outside the intended web path. Business urgency depends on whether these devices are deployed and reachable from untrusted networks.

Executive priority

Prioritize identification and upgrade if these Starcharge products are deployed, especially on exposed networks. The absence of scoring and KEV evidence lowers certainty, not necessarily impact.

Technical view

The CVE record describes directory traversal via main.cgi in Nova 360 Cabinet <=1.3.0.0.6 and Titan 180 Premium <=1.3.0.0.7b102. Fixed versions are Nova 360 Cabinet 1.3.0.0.9 and Titan 180 Premium Beta1.3.0.1.0. No CVSS, CWE, or detailed impact scoring is provided.

Likely exposure

Exposure is limited to organizations running the named Starcharge models on affected firmware. Risk rises if the management interface or main.cgi is reachable from the internet, shared networks, vendors, or other untrusted users.

Exploitation context

The source bundle does not show CISA KEV listing or cite active exploitation. Public references include a GitHub advisory-style writeup, but the provided data does not establish exploitation in the wild.

Researcher notes

Evidence is sparse: the CVE text names affected versions and fixed versions, but omits CVSS, CWE, prerequisites, authentication requirements, and impact details. Avoid assuming broader Starcharge exposure beyond the two listed products.

Mitigation direction

  • Inventory Starcharge Nova 360 Cabinet and Titan 180 Premium deployments.
  • Upgrade Nova 360 Cabinet to 1.3.0.0.9 or later vendor guidance.
  • Upgrade Titan 180 Premium to Beta1.3.0.1.0 or later vendor guidance.
  • Restrict management access to trusted administrative networks only.
  • Review vendor advisories before applying beta or model-specific firmware.

Validation and detection

  • Confirm product model and firmware version from device administration records.
  • Check whether main.cgi is reachable from untrusted network paths.
  • Review access logs for unusual main.cgi file access attempts.
  • Verify upgraded firmware after maintenance completion.
  • Document compensating network controls where upgrades are delayed.
Prepared
Confidence
medium
Sources
4

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

description · low confidence lookup

File access behavior lookup

The CVE wording references file access or upload behavior, so file telemetry and web shell review may help. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.

Open ATT&CK lookup
cve · low confidence lookup

CVE-2021-45418 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
3Timeline events
1ADP providers
3Source links

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CVECVE Program Container
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
n/an/an/aListed
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.