Incorrect access control in the realtime.cgi endpoint of Deep Sea Electronics devices DSE855 v1.1.0 to v1.1.26 allows attackers to gain access to the admin panel and complete control of the device.
The realtime.cgi endpoint on DSE855 devices does not enforce proper access permission verification. An attacker can remotely access the device administration panel without any authentication and without user interaction. As a result, it is possible to seize full control of the device without knowledge of any login credentials.
An attacker gains unlimited access to the DSE855 device administration panel and full control over its operation, which may include reading confidential configuration data, modifying settings, and disrupting device operation.
Manufacturer patches should be applied according to references. Until updates are applied, it is recommended to isolate DSE855 devices from public networks, restrict access to the realtime.cgi endpoint at the firewall level, and implement network segmentation.
Deep Sea Electronics DSE855 in versions from v1.1.0 to v1.1.26 inclusive.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H