Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2021-38759

CVE-2021-38759: Raspberry Pi OS Lite Auth Bypass Flaw

CVE-2021-38759 is an authentication bypass flaw in Raspberry Pi OS Lite caused by a default password for the pi account. Attackers can gain administrator privileges if unchanged. This article covers technical details.

Updated:

CVE-2021-38759 Overview

CVE-2021-38759 is a hardcoded credentials vulnerability affecting Raspberry Pi OS through version 5.10. The operating system ships with a default pi user account protected by the well-known password raspberry. Any attacker reaching the device over the network can authenticate using these credentials if the administrator has not changed them. Successful login grants administrator privileges through the account's sudo membership.

The vulnerability is classified under [CWE-1188] (Insecure Default Initialization of Resource). Public exploitation tooling exists in Exploit-DB, and the EPSS model places this issue in the 96th percentile for exploitation likelihood.

Critical Impact

Network-reachable Raspberry Pi devices running unmodified default credentials allow unauthenticated attackers to gain full administrative control over the host.

Affected Products

  • Raspberry Pi OS Lite through version 5.10
  • Raspberry Pi OS desktop builds shipping the default pi account
  • Any downstream image inheriting the default pi/raspberry credential pair

Discovery Timeline

  • 2021-12-07 - CVE-2021-38759 published to the National Vulnerability Database
  • 2022-04 - Raspberry Pi Foundation removes the default pi user account in new OS images, as reported by Ars Technica
  • 2024-11-21 - Last updated in NVD database

Technical Details for CVE-2021-38759

Vulnerability Analysis

The vulnerability stems from the operating system image shipping with a preconfigured user account named pi and a static password of raspberry. The pi user is a member of the sudo group, granting unrestricted administrative escalation through sudo without an additional password prompt in the default sudoers.d/010_pi-nopasswd configuration.

When the Secure Shell (SSH) service is enabled, either manually or through provisioning files such as ssh in the boot partition, the credential pair is reachable over the network. Attackers do not need to perform brute-force discovery because the credentials are public and documented. The issue is amplified by the device profile: Raspberry Pi hardware is widely deployed in industrial controllers, kiosks, hobbyist servers, and Internet of Things (IoT) gateways where management interfaces are often exposed.

Root Cause

The root cause is an insecure default configuration. The Raspberry Pi OS installer historically created the pi account with fixed credentials to simplify first-boot setup. Because the password was identical across every installation, the secret offered no authentication value once published in documentation.

Attack Vector

The attack vector is remote and unauthenticated. An attacker scans for TCP port 22 on Raspberry Pi devices, identifies the SSH banner (SSH-2.0-OpenSSH on Debian-derived builds), and authenticates with pi:raspberry. After login, the attacker invokes sudo -i to obtain a root shell, installs persistence, or pivots into the connected network. The vulnerability requires no user interaction and no prior privileges on the target.

No verified proof-of-concept code is reproduced here. Technical details and exploitation notes are available in the Packet Storm Security advisory.

Detection Methods for CVE-2021-38759

Indicators of Compromise

  • Successful SSH authentication events for user pi from unexpected source IP addresses in /var/log/auth.log
  • Unexpected entries in /home/pi/.ssh/authorized_keys indicating attacker-installed persistence
  • New cron jobs or systemd units owned by pi or root that were not deployed by administrators
  • Outbound connections from the device to unknown command-and-control infrastructure

Detection Strategies

  • Audit all running Raspberry Pi OS hosts for the presence of an active pi account using getent passwd pi
  • Test whether the account still accepts the password raspberry during authorized internal assessments
  • Monitor SSH authentication logs for repeated successful logins as pi from external networks
  • Correlate network telemetry to flag SSH sessions terminating on Raspberry Pi hardware MAC address ranges (B8:27:EB, DC:A6:32, E4:5F:01)

Monitoring Recommendations

  • Forward /var/log/auth.log to a centralized logging or SIEM platform for retention and alerting
  • Alert on any privilege escalation through sudo performed by the pi account
  • Track process execution baselines on Raspberry Pi devices and flag deviations such as unexpected compilers, package managers, or networking tools

How to Mitigate CVE-2021-38759

Immediate Actions Required

  • Change the password for the pi account on every device using passwd pi, or delete the account entirely with sudo deluser --remove-home pi after creating a replacement administrative user
  • Disable password-based SSH authentication in /etc/ssh/sshd_config by setting PasswordAuthentication no and rely on public key authentication
  • Restrict SSH exposure with host-based firewalls or place devices behind a VPN rather than allowing direct Internet access
  • Upgrade to a current Raspberry Pi OS image, which no longer creates the pi account by default during first boot

Patch Information

The Raspberry Pi Foundation addressed the underlying issue in April 2022 by removing the default pi account from installer images and requiring the user to create an administrative account during initial setup. See the official Raspberry Pi configuration documentation for guidance on credential management.

Workarounds

  • Enforce SSH key authentication and remove all default credentials before connecting devices to any network
  • Bind SSH to a management interface only using the ListenAddress directive in sshd_config
  • Apply network segmentation so that Raspberry Pi devices cannot be reached from untrusted subnets
  • Deploy fail2ban or equivalent rate-limiting to slow credential abuse against any remaining password-authenticated services
bash
# Configuration example: rotate the default pi credential and harden SSH
sudo passwd pi
sudo sed -i 's/^#\?PasswordAuthentication.*/PasswordAuthentication no/' /etc/ssh/sshd_config
sudo sed -i 's/^#\?PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config
sudo systemctl restart ssh

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne