Loftware Spectrum before 4.6 HF14 uses a Hard-coded Password.
The Loftware Spectrum application stores a constant, unchanged password in its source code or configuration (CWE-259). An attacker who learns this password — for example, through analysis of binary files or publicly available information — can use it to authenticate to the system without any additional privileges. The attack vector is network-based, does not require user interaction or special conditions, making the vulnerability exceptionally easy to exploit.
An attacker can gain full, unauthorized access to the Loftware Spectrum system, leading to violations of confidentiality, integrity, and availability of application data and functions.
Loftware Spectrum must be immediately updated to version 4.6 HF14 or later, in accordance with the manufacturer's information available at: https://docs.loftware.com/spectrum-releasenotes/Content/Hotfix/4.6_HF14.htm. Until the patch is deployed, it is recommended to restrict network access to the Loftware Spectrum system exclusively to trusted hosts.
Loftware Spectrum in all versions before 4.6 HF14.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HLoftware Spectrum
APPLoftware4.6< 4.6
Related vulnerabilities
Niebezpieczna deserializacja danych w Loftware Spectrum przed wersją 4.6 HF13
Loftware Spectrum — brak uwierzytelnienia dla krytycznej funkcji (Auth Bypass)
Loftware Spectrum — niezabezpieczony rejestr JMX umożliwia zdalny dostęp
Loftware Spectrum before 4.6 HF14 allows authenticated XXE attacks.
Loftware Spectrum (testDeviceConnection) before 5.1 allows SSRF.