Default credentials on the Web Interface of Evolution Controller 2.x allows anyone to log in to the server directly to perform administrative functions. Upon installation or upon first login, the application does not ask the user to change the password. There is no warning or prompt to ask the user to change the default password.
The application does not require users to change the default password during installation or on first launch. No warning or prompt is displayed to change the default credentials. As a result, anyone knowing the factory login credentials can log in directly to the web interface and perform administrative functions without any additional authentication barriers.
An attacker gains full administrative access to the Evolution Controller system, enabling them to read and modify configuration, and potentially compromise the confidentiality, integrity, and availability of the controlled environment.
Immediately change the default administrative password to a strong, unique password and apply patches available from the manufacturer according to the references. It is also recommended to restrict access to the web interface only to trusted IP addresses using a firewall and to monitor unauthorized login attempts.
Cs-Technologies Evolution Controller version 2.x with default web interface configuration
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HCs Technologies Evolution
APPCs-Technologies≤ 2.04.560
Related vulnerabilities
Auth Bypass w Evolution Controller — nieautoryzowane przejęcie kont
The Web interface of Evolution Controller Versions 2.04.560.31.03.2024 and below uses poor session management,...
The Web interface of Evolution Controller Versions 2.04.560.31.03.2024 and below does not proper sanitize user...
The Web interface of Evolution Controller Versions 2.04.560.31.03.2024 and below contains poorly configured ac...
The Web interface of Evolution Controller Versions 2.04.560.31.03.2024 and below contains poorly configured ac...