A-Stage SCT-40CM01SR and AT-40CM01SR vulnerable to authentication bypass


SCT-40CM01SR and AT-40CM01SR provided by A-Stage Inc. are liquid crystal televisions. SCT-40CM01SR and AT-40CM01SR contain an authentication bypass vulnerability (CWE-287).

Shinnosuke Tokusho reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 5.4 (Medium) [IPA Score]
  • Attack Vector: Adjacent Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None
CVSS V2 Severity:
Base Metrics 4.8 (Medium) [IPA Score]
  • Access Vector: Adjacent Network
  • Access Complexity: Low
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: Partial
  • Availability Impact: None
Affected Products

A-Stage Inc.
  • AT-40CM01SR
  • SCT-40CM01SR


An attacker who can access the device may log in via telnet without authentication and execute an arbitrary command.

According to the developer, even if an arbitrary command is executed, programs regarding the functions of the products can not be altered or deleted.

[Update the firmware]
Update the firmware to the latest version according to the information provided by the developer.
According to the developer, the update requires a repair support by the developer. For more information, contact the developer.
Vendor Information

A-Stage Inc.
CWE (What is CWE?)

  1. Improper Authentication(CWE-287) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2021-20776

  1. JVN : JVN#21636825
Revision History

  • [2021/07/05]
      Web page was published