CVE-2021-45418: Certain Starcharge products are vulnerable to Directory Traversal via main.cgi.
Certain Starcharge products are vulnerable to Directory Traversal via main.cgi. The affected products include: Nova 360 Cabinet <=1.3.0.0.6 - Fixed: 1.3.0.0.9 and Titan 180 Premium <=1.3.0.0.7b102 - Fixed: Beta1.3.0.1.0.
Security readout for executives and security teams
Plain-English summary
CVE-2021-45418 is a directory traversal issue in main.cgi affecting specific Starcharge Nova 360 Cabinet and Titan 180 Premium firmware versions. It may let an unauthorized user access files outside the intended web path. Business urgency depends on whether these devices are deployed and reachable from untrusted networks.
Executive priority
Prioritize identification and upgrade if these Starcharge products are deployed, especially on exposed networks. The absence of scoring and KEV evidence lowers certainty, not necessarily impact.
Technical view
The CVE record describes directory traversal via main.cgi in Nova 360 Cabinet <=1.3.0.0.6 and Titan 180 Premium <=1.3.0.0.7b102. Fixed versions are Nova 360 Cabinet 1.3.0.0.9 and Titan 180 Premium Beta1.3.0.1.0. No CVSS, CWE, or detailed impact scoring is provided.
Likely exposure
Exposure is limited to organizations running the named Starcharge models on affected firmware. Risk rises if the management interface or main.cgi is reachable from the internet, shared networks, vendors, or other untrusted users.
Exploitation context
The source bundle does not show CISA KEV listing or cite active exploitation. Public references include a GitHub advisory-style writeup, but the provided data does not establish exploitation in the wild.
Researcher notes
Evidence is sparse: the CVE text names affected versions and fixed versions, but omits CVSS, CWE, prerequisites, authentication requirements, and impact details. Avoid assuming broader Starcharge exposure beyond the two listed products.
Mitigation direction
Inventory Starcharge Nova 360 Cabinet and Titan 180 Premium deployments.
Upgrade Nova 360 Cabinet to 1.3.0.0.9 or later vendor guidance.
Upgrade Titan 180 Premium to Beta1.3.0.1.0 or later vendor guidance.
Restrict management access to trusted administrative networks only.
Review vendor advisories before applying beta or model-specific firmware.
Validation and detection
Confirm product model and firmware version from device administration records.
Check whether main.cgi is reachable from untrusted network paths.
Review access logs for unusual main.cgi file access attempts.
Verify upgraded firmware after maintenance completion.
Document compensating network controls where upgrades are delayed.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
description · low confidence lookup
File access behavior lookup
The CVE wording references file access or upload behavior, so file telemetry and web shell review may help. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
0CVSS vectors
3Timeline events
1ADP providers
3Source links
Vulnerability timeline
Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.
CVE reservedCVE Program
The CVE ID was reserved by the assigning CNA.
CVE publishedCVE Program
The CVE record was published.
Dec 22, 2021, 15:56 UTC (UTC+00:00)
CVE updatedCVE Program
The CVE record metadata indicates this as the latest update time.