Monthly
Siklu EtherHaul 8010 wireless backhaul devices contain a static root password that enables physical attackers or those with local console access to gain complete administrative control without authentication. The vulnerability affects firmware version 10.6.2-18707 and potentially other versions of the EtherHaul 8010 product line, allowing credential-based authentication bypass with high confidentiality and integrity impact. No public exploit code or active exploitation has been confirmed at this time, though the CVSS:3.1 physical attack vector (AV:P) reflects that an attacker must have direct physical access to the device's console interfaces.
Hardcoded password vulnerability in Yokogawa CENTUM VP allows authentication bypass for the PROG system account across versions R5.01.00-R5.04.20, R6.01.00-R6.12.00, and R7.01.00. An attacker who obtains the hardcoded credential and has direct access to the Human Interface Station (HIS) running CTM authentication mode can log in as PROG; however, real-world risk is constrained because PROG defaults to S1 (OFFUSER) permission level, and exploitation requires pre-existing HIS access. No public exploit code or active CISA KEV status identified at time of analysis.
A hard-coded credentials vulnerability exists in Yi Technology YI Home Camera 2 firmware version 2.1.1_20171024151200, specifically in the home/web/ipc file component. An unauthenticated attacker on the local network can exploit these credentials to gain full access to the device with high impact on confidentiality, integrity, and availability (CVSS 8.8). The exploit has been publicly disclosed via VulDB references, and the vendor did not respond to early disclosure attempts, indicating no official patch is available.
QNAP Hyper Data Protector before 2.3.1.455 contains hard-coded credentials that allow remote unauthenticated attackers to gain unauthorized access to backup management functions, potentially compromising all backed-up data across the organization.
Tenda G1V3.1si V16.01.7.8 Firmware V16.01.7.8 was discovered to contain a hardcoded password vulnerability in /etc_ro/shadow, which allows attackers to log in as root. [CVSS 8.4 HIGH]
Tenda i24V3.0si V3.0.0.5 Firmware V3.0.0.5 was discovered to contain a hardcoded password vulnerability in /etc_ro/shadow, which allows attackers to log in as root. [CVSS 8.4 HIGH]
A security flaw has been discovered in Beetel 777VR1 up to 01.00.09. This issue affects some unknown processing of the component WPA2 PSK. Performing a manipulation results in hard-coded credentials. The attacker must have access to the local network to execute the attack. The complexity of an attack is rather high. The exploitability is assessed as difficult. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did ...
Hard-coded credentials in the Beetel 777VR1 Web Management Interface allow unauthenticated attackers on the local network to gain full administrative access with high integrity and confidentiality impact. Public exploit code is available and actively used, with no patch currently available from the vendor. Affected organizations should immediately implement network segmentation and access controls to restrict management interface exposure.
PlaciPy placement management system 1.0.0 uses a hard-coded password, allowing any attacker who discovers it to gain full system access.
Ax12 Pro Firmware versions up to 16.03.49.24_cn is affected by use of hard-coded password (CVSS 8.1).
Siklu EtherHaul 8010 wireless backhaul devices contain a static root password that enables physical attackers or those with local console access to gain complete administrative control without authentication. The vulnerability affects firmware version 10.6.2-18707 and potentially other versions of the EtherHaul 8010 product line, allowing credential-based authentication bypass with high confidentiality and integrity impact. No public exploit code or active exploitation has been confirmed at this time, though the CVSS:3.1 physical attack vector (AV:P) reflects that an attacker must have direct physical access to the device's console interfaces.
Hardcoded password vulnerability in Yokogawa CENTUM VP allows authentication bypass for the PROG system account across versions R5.01.00-R5.04.20, R6.01.00-R6.12.00, and R7.01.00. An attacker who obtains the hardcoded credential and has direct access to the Human Interface Station (HIS) running CTM authentication mode can log in as PROG; however, real-world risk is constrained because PROG defaults to S1 (OFFUSER) permission level, and exploitation requires pre-existing HIS access. No public exploit code or active CISA KEV status identified at time of analysis.
A hard-coded credentials vulnerability exists in Yi Technology YI Home Camera 2 firmware version 2.1.1_20171024151200, specifically in the home/web/ipc file component. An unauthenticated attacker on the local network can exploit these credentials to gain full access to the device with high impact on confidentiality, integrity, and availability (CVSS 8.8). The exploit has been publicly disclosed via VulDB references, and the vendor did not respond to early disclosure attempts, indicating no official patch is available.
QNAP Hyper Data Protector before 2.3.1.455 contains hard-coded credentials that allow remote unauthenticated attackers to gain unauthorized access to backup management functions, potentially compromising all backed-up data across the organization.
Tenda G1V3.1si V16.01.7.8 Firmware V16.01.7.8 was discovered to contain a hardcoded password vulnerability in /etc_ro/shadow, which allows attackers to log in as root. [CVSS 8.4 HIGH]
Tenda i24V3.0si V3.0.0.5 Firmware V3.0.0.5 was discovered to contain a hardcoded password vulnerability in /etc_ro/shadow, which allows attackers to log in as root. [CVSS 8.4 HIGH]
A security flaw has been discovered in Beetel 777VR1 up to 01.00.09. This issue affects some unknown processing of the component WPA2 PSK. Performing a manipulation results in hard-coded credentials. The attacker must have access to the local network to execute the attack. The complexity of an attack is rather high. The exploitability is assessed as difficult. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did ...
Hard-coded credentials in the Beetel 777VR1 Web Management Interface allow unauthenticated attackers on the local network to gain full administrative access with high integrity and confidentiality impact. Public exploit code is available and actively used, with no patch currently available from the vendor. Affected organizations should immediately implement network segmentation and access controls to restrict management interface exposure.
PlaciPy placement management system 1.0.0 uses a hard-coded password, allowing any attacker who discovers it to gain full system access.
Ax12 Pro Firmware versions up to 16.03.49.24_cn is affected by use of hard-coded password (CVSS 8.1).