CVE-2018-14078

Name of the Vulnerable Software and Affected Versions Wi2be SMART HP WMT version 1.2.20 201400922

Description The issue allows unauthorized remote attackers to reset the admin password via the "ConfigWizard/ChangePwd.esp?2admin" API endpoint. After a successful attack, attackers can login using the username "admin" with password "admin".

Recommendations For version 1.2.20 201400922, as a temporary workaround, consider restricting access to the "ConfigWizard/ChangePwd.esp?2admin" API endpoint until a patch is available. Avoid using the default "admin" username and password in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.