CVE-2021-45418 in Nova 360 Cabinetinfo

Summary

by MITRE • 12/22/2021

Certain Starcharge products are vulnerable to Directory Traversal via main.cgi. The affected products include: Nova 360 Cabinet <=1.3.0.0.6 - Fixed: 1.3.0.0.9 and Titan 180 Premium <=1.3.0.0.7b102 - Fixed: Beta1.3.0.1.0.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 07/05/2026

The vulnerability identified as CVE-2021-45418 represents a critical directory traversal flaw in Starcharge's Nova 360 Cabinet product, which operates through the main.cgi web interface component. This vulnerability falls under the Common Weakness Enumeration category CWE-22, specifically addressing improper limitation of a pathname to a restricted directory, commonly known as path traversal or directory traversal attacks. The flaw enables unauthorized users to access files and directories outside the intended web root, potentially exposing sensitive system information, configuration files, and critical operational data.

The technical implementation of this vulnerability occurs within the main.cgi script which processes user input without proper validation or sanitization of file path parameters. When a malicious actor submits crafted input through the web interface, the application fails to properly filter or restrict the file path traversal sequences such as ../ or ..\, allowing attackers to navigate through the file system hierarchy. This weakness is particularly dangerous in industrial control systems where the Nova 360 Cabinet serves as a critical component for managing and monitoring electrical distribution systems, making it an attractive target for cyber adversaries seeking to disrupt operations or extract sensitive information.

The operational impact of this vulnerability extends beyond simple data exposure, as it can enable attackers to gain unauthorized access to system configuration files, operational parameters, and potentially manipulate the device's behavior. In the context of industrial environments, this could result in service disruption, unauthorized system modifications, or even physical security compromise of the electrical infrastructure. The vulnerability affects the broader Starcharge product line and demonstrates a fundamental security weakness in the web application layer that could potentially be exploited to escalate privileges or gain deeper system access.

Mitigation strategies for CVE-2021-45418 should include immediate patching of the affected main.cgi component through official firmware updates provided by Starcharge, implementation of input validation and sanitization measures to prevent path traversal attacks, and network segmentation to limit access to the affected device. Security controls should also incorporate web application firewalls to detect and block suspicious path traversal attempts, along with regular security assessments of industrial control systems. Organizations should follow the ATT&CK framework's T1190 technique for exploiting vulnerabilities in web applications, implementing defensive measures that address both the specific directory traversal vulnerability and broader application security practices. Additionally, access controls should be strictly enforced through multi-factor authentication and role-based access controls to minimize the attack surface and reduce the potential impact of successful exploitation attempts.

Reservation

12/20/2021

Disclosure

12/22/2021

Moderation

accepted

CPE

ready

EPSS

0.02110

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!