PatchSiren cyber security CVE debrief
CVE-2021-3854 Glox CVE debrief
A critical SQL injection vulnerability in Glox Technology Useroam Hotspot allows unauthenticated remote attackers to execute arbitrary SQL commands, potentially leading to complete database compromise. The vulnerability affects all versions prior to 5.1.0.15. The issue was disclosed in March 2023 with a CVSS 3.1 score of 9.8 (Critical), indicating network exploitable, low complexity, no privileges required, and high impact across confidentiality, integrity, and availability. The vulnerability was originally identified in 2021 but not publicly disclosed until 2023. Organizations should upgrade to version 5.1.0.15 or later and implement input validation and parameterized queries as defense-in-depth measures.
- Vendor
- Glox
- Product
- Useroam Hotspot
- CVSS
- CRITICAL 9.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2023-03-02
- Original CVE updated
- 2026-05-18
- Advisory published
- 2023-03-02
- Advisory updated
- 2026-05-18
Who should care
Organizations operating Glox Useroam Hotspot captive portal/guest access management systems, particularly in hospitality, enterprise, and service provider environments where guest network access is managed through this platform.
Technical summary
The Useroam Hotspot application fails to properly neutralize special elements in SQL commands, allowing attackers to inject malicious SQL statements. The vulnerability is remotely exploitable without authentication, requires low attack complexity, and can result in complete compromise of database confidentiality, integrity, and availability. The CVSS 3.1 score of 9.8 reflects maximum impact across all three security dimensions with minimal attack requirements.
Defensive priority
critical
Recommended defensive actions
- Upgrade Glox Useroam Hotspot to version 5.1.0.15 or later immediately
- Implement Web Application Firewall (WAF) rules to detect and block SQL injection attempts
- Review application logs for indicators of SQL injection exploitation attempts
- Apply principle of least privilege to database accounts used by the application
- Conduct security assessment of all database queries for parameterized statement implementation
Evidence notes
CVE published 2023-03-02; modified 2026-05-18. CPE confirms affected versions: cpe:2.3:a:glox:useroam_hotspot:*:*:*:*:*:*:*:* with versionEndExcluding 5.1.0.15. CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. Weakness: CWE-89 (SQL Injection). Advisory sources from Turkish National Cyber Security Incident Response Team (USOM).
Official resources
-
CVE-2021-3854 CVE record
CVE.org
-
CVE-2021-3854 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
-
Mitigation or vendor reference
[email protected] - Third Party Advisory
2023-03-02