MinMax CMS from MinMax Digital Technology contains a hidden administrator account with a fixed password that cannot be removed or disabled from the management interface. Remote attackers who obtain this account can bypass IP access control restrictions and log in to the backend system without being recorded in the system logs.
In the MinMax CMS system, there exists a hidden administrator account with a hardcoded password (CWE-798), which is an intentionally built-in, concealed access mechanism (CWE-912 — backdoor). This account cannot be removed or disabled from the administrative panel level, making it impossible for administrators to block it using standard methods. An attacker who discovers the credentials of this account can bypass implemented access restrictions based on IP addresses and log into the backend panel without any entry in system logs, effectively concealing the breach itself.
An attacker gains unauthorized, full administrative access to the CMS system, bypassing access control mechanisms and event logging. It is possible to seize control of website content, steal data, and conduct further actions within the infrastructure.
Patches available from the manufacturer should be applied according to the references. Due to the inability to remove the backdoor account from the management interface level, updating to the patched version is the only effective remedial measure. It is also recommended to monitor login attempts to the administrative panel at the network level and implement additional access control mechanisms (e.g., application firewall).
MinMax CMS by MinMax Digital Technology — specific versions indicated in the manufacturer's references
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H