COMMAX Smart Home IoT Control System SQL Injection Authentication Bypass

Advisories

severity: high
date: December 9, 2025
Affecting: Smart Home IoT Control System CDP-1020n, 481 System
CVE: CVE-2021-47708
CWE: CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVSS: 8
CVSS V4 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N
References: ExploitDB-50207
COMMAX Vendor Homepage
Zero Science Lab Disclosure (ZSL-2021-5662)
Credit: LiquidWorm as Gjoko Krstic of Zero Science Lab
Description: COMMAX Smart Home System CDP-1020n contains an SQL injection vulnerability that allows attackers to bypass authentication by injecting arbitrary SQL code through the 'id' parameter in 'loginstart.asp'. Attackers can exploit this by sending a POST request with malicious 'id' values to manipulate database queries and gain unauthorized access.