CVE-2019-20025
Last modified
CVE-2019-20025 is a critical-severity vulnerability rated 9.8/10 on the CVSS scale. Certain builds of NEC SV9100 software could allow an unauthenticated, remote attacker to log into a device running an affected release with a hardcoded username and password, aka a Static Credential Vulnerability. The vulnerability is due to an undocumented user account with manufacturer privilege level. EPSS estimates a 2.93% chance of exploitation in the next 30 days.
Description
Certain builds of NEC SV9100 software could allow an unauthenticated, remote attacker to log into a device running an affected release with a hardcoded username and password, aka a Static Credential Vulnerability. The vulnerability is due to an undocumented user account with manufacturer privilege level. An attacker could exploit this vulnerability by using this account to remotely log into an affected device. A successful exploit could allow the attacker to log into the device with manufacturer level access. This vulnerability affects SV9100 PBXes that are running software release 6.0 or higher. This vulnerability does not affect SV9100 software releases prior to 6.0.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Nec | Sv9100 Firmware | >= 6.0 |
References
- https://shadytel.su/files/nec_cve.txtThird Party Advisory
- https://shadytel.su/files/nec_cve.txtThird Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2019-20025?
How severe is CVE-2019-20025?
How do I fix CVE-2019-20025?
Are you affected by CVE-2019-20025?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST