6. February 2018 - Thomas Roth - firstname.lastname@example.org
CVS: 9.6 Critical
This vulnerability has been confirmed to be exploitable. The vulnerability will potentially be published after 60 days or after a patch for the vulnerability has been released.
It was found that an SSH server is running on the Vobot and that a hardcoded
vobot user account is available with a hardcoded (but MD5 hashed) password. Notably this user has full root privileges.
Notably this user has full root permissions on the device
An attacker that gains access to this password (for example by cracking the hash) is able to log into the Vobot and has full control of the device.
There should be no hardcoded and non user-changeable passwords on the device.
It was confirmed by changing the password of the
vobot user using the vulnerability described in CVE-2018-6826 that this user has full root privileges.