Root user password is hardcoded into the device and cannot be changed in the user interface.
The manufacturer embedded a hardcoded root account password directly into the device firmware. This password is identical for all device units and cannot be changed by the administrator through the user interface. This means that anyone who knows this password can log in to the root account on any device of this model.
An attacker can gain full root access to the device, enabling complete device takeover, configuration modification, network traffic interception, and potential use of the device as an entry point to the internal network.
Apply patches available from the manufacturer according to the references. Until firmware is updated, it is recommended to isolate devices from public network access, use firewalls to restrict access to management ports, and monitor unauthorized login attempts.
Hongdian H8951-4G-Esp Firmware — versions indicated in manufacturer references
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HHongdian H8951 4g Esp
HWHongdianwszystkie wersjeHongdian H8951 4g Esp Firmware
OSHongdian< 2310271149
Related vulnerabilities
Pominięcie uwierzytelnienia przez przepełnienie pola Cookie w Hongdian H8951-4G-Esp
Hongdian H8951-4G-Esp — dostęp do konsoli routera bez uwierzytelnienia
An authenticated user is able to upload an arbitrary CGI-compatible file using the certificate upload utility ...
The authentication cookies are generated using an algorithm based on the username, hardcoded secret and the up...
Authenticated user can execute arbitrary commands in the context of the root user by providing payload in the ...