CVE-2018-16591

Name of the Vulnerable Software and Affected Versions FURUNO FELCOM versions 250 and 500

Description The issue allows unauthenticated users to change passwords for critical accounts, including Admin, Log, and Service, as well as the protected "SMS" panel. This is achieved through access to specific API endpoints: "/cgi-bin/sm changepassword.cgi" and "/cgi-bin/sm sms changepasswd.cgi".

Recommendations For FURUNO FELCOM versions 250 and 500, restrict access to the "/cgi-bin/sm changepassword.cgi" and "/cgi-bin/sm sms changepasswd.cgi" API endpoints to prevent unauthorized password changes. Consider temporarily disabling these endpoints until a patch is available.