CVE-2018-16705 — CRITICAL (9.8)

Vulnerability Description

FURUNO FELCOM 250 and 500 devices allow unauthenticated access to the xml/permission.xml file containing all of the system's usernames and passwords. This includes the Admin and Service user accounts and their unsalted MD5 hashes, as well as the SMS server password in cleartext.

CVSS Score

9.8

CRITICAL

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Furuno	Felcom 250 Firmware	-
Furuno	Felcom 250	-
Furuno	Felcom 500 Firmware	-
Furuno	Felcom 500	-

Related Weaknesses (CWE)

CWE-200

References

https://cyberskr.com/blog/furuno-felcom.htmlExploitTechnical DescriptionThird Party Advisory
https://gist.github.com/CyberSKR/c00eabd6b1d5603d724b615ab358ff31Third Party Advisory
https://cyberskr.com/blog/furuno-felcom.htmlExploitTechnical DescriptionThird Party Advisory
https://gist.github.com/CyberSKR/c00eabd6b1d5603d724b615ab358ff31Third Party Advisory

FAQ

What is CVE-2018-16705?

CVE-2018-16705 is a vulnerability with a CVSS score of 9.8 (CRITICAL). FURUNO FELCOM 250 and 500 devices allow unauthenticated access to the xml/permission.xml file containing all of the system's usernames and passwords. This includes the Admin and Service user accounts ...

How severe is CVE-2018-16705?

CVE-2018-16705 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2018-16705?

Check the references section above for vendor advisories and patch information. Affected products include: Furuno Felcom 250 Firmware, Furuno Felcom 250, Furuno Felcom 500 Firmware, Furuno Felcom 500.