CRITICAL🇵🇱 Wersja polska

CVE-2023-49253

CVSS 9.8v3.1pub. 2024-01-12upd. 2025-06-20

Root user password is hardcoded into the device and cannot be changed in the user interface.

🤖 AI Analysis
How it works

The manufacturer embedded a hardcoded root account password directly into the device firmware. This password is identical for all device units and cannot be changed by the administrator through the user interface. This means that anyone who knows this password can log in to the root account on any device of this model.

Impact

An attacker can gain full root access to the device, enabling complete device takeover, configuration modification, network traffic interception, and potential use of the device as an entry point to the internal network.

Mitigation & patch

Apply patches available from the manufacturer according to the references. Until firmware is updated, it is recommended to isolate devices from public network access, use firewalls to restrict access to management ports, and monitor unauthorized login attempts.

Who is affected

Hongdian H8951-4G-Esp Firmware — versions indicated in manufacturer references

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Hongdian H8951 4g Esp

    HW
    Hongdian
    wszystkie wersje
  • Hongdian H8951 4g Esp Firmware

    OS
    Hongdian
    < 2310271149
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2023-49262CRITICAL9.8PL ✓ten sam produkt

Pominięcie uwierzytelnienia przez przepełnienie pola Cookie w Hongdian H8951-4G-Esp

CVE-2023-49255CRITICAL9.8PL ✓ten sam produkt

Hongdian H8951-4G-Esp — dostęp do konsoli routera bez uwierzytelnienia

CVE-2023-49257HIGH8.8ten sam produkt

An authenticated user is able to upload an arbitrary CGI-compatible file using the certificate upload utility ...

CVE-2023-49259HIGH7.5ten sam produkt

The authentication cookies are generated using an algorithm based on the username, hardcoded secret and the up...

CVE-2023-49254HIGH8.8ten sam produkt

Authenticated user can execute arbitrary commands in the context of the root user by providing payload in the ...