Andrew Tierney

**Name of the Vulnerable Software and Affected Versions** Danelec MacGregor Voyage Data Recorder (affected versions not specified) **Description** The device contains a default username and password and does not require the user to change the password upon initial setup. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Danelec MacGregor Voyage Data Recorder (affected versions not specified) **Description** Passwords are stored using a hashing method that restricts password length and is susceptible to brute force attacks, which is a trial-and-error method used to guess passwords. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Danelec MacGregor Voyage Data Recorder (affected versions not specified) **Description** An authenticated user can download a backup of the device, which contains account data and password hashes. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Danelec MacGregor Voyage Data Recorder (affected versions not specified) **Description** The software includes default accounts with hard-coded credentials, which can allow unauthorized access to the system. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Danelec MacGregor Voyage Data Recorder (affected versions not specified) **Description** The administrator account for the web interface allows direct editing of sensitive authentication files, which could enable an unauthorized change of the root password. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** CS5000 Fire Panel (affected versions not specified) **Description** The issue is related to a default account that exists on the CS5000 Fire Panel, which holds high-level permissions. Although it is possible to change this account by SSHing into the device, it has remained unchanged on every installed system observed. This could severely impact the device's operation if exploited. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** CS5000 Fire Panel (affected versions not specified) **Description** The issue is related to a hard-coded password that runs on a VNC server and is visible as a string in the binary responsible for running VNC. This password cannot be altered, allowing anyone with knowledge of it to gain remote access to the panel. Such access could enable an attacker to operate the panel remotely, potentially putting the fire panel into a non-functional state and causing serious safety issues. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** MVPower CCTV DVR models, including TV-7104HE version 1.8.4 115215B9 and TV7108HE, versions from 2014 through 2019 **Description** The issue allows a remote unauthenticated attacker to execute arbitrary operating system commands as root via a web shell accessible through the `/shell` URI. This has been referred to as the "JAWS webserver RCE" due to the identifiable HTTP response server field. The vulnerability was exploited in the wild from 2017 through 2022. **Recommendations** For MVPower CCTV DVR models, including TV-7104HE version 1.8.4 115215B9 and TV7108HE, versions from 2014 through 2019, consider disabling access to the `/shell` URI as a temporary workaround until a patch is available. Restricting access to this URI can minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Z-Wave (affected versions not specified) **Description** The issue allows an attacker within radio range during pairing to downgrade the S2 security to S0 or other less secure protocols. This downgrade enables the exploitation of another issue to intercept and spoof traffic. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Dedicated Micros DV-IP Express, SD Advanced, SD, EcoSense, and DS2 devices (affected versions not specified) Description: The issue arises because the devices rely on a GUI warning to ensure administrators configure login credentials. This makes it easier for remote attackers to obtain access in situations where the warning was not heeded. The vendor notes that clear warnings are presented on the GUI to set usernames and passwords. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Swann SWWHD-INTCAM-HD devices (affected versions not specified) **Description** The issue concerns Swann SWWHD-INTCAM-HD devices, which leave the Pre-Shared Key (PSK) in logs even after a factory reset. All affected customers were migrated by 2020-08-31. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Swann SWWHD-INTCAM-HD devices (affected versions not specified) **Description** The issue allows for FTP access as root due to the presence of the twipc root password. It is noted that all affected customers were migrated by 2020-08-31. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Tapplock devices versions prior to 2018-06-12 **Description** The issue concerns the Bluetooth Low Energy (BLE) subsystem, which allows replay attacks. **Recommendations** For versions prior to 2018-06-12, update to a version released after 2018-06-12 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Tapplock devices versions prior to 2018-06-12 **Description** The issue concerns the Bluetooth Low Energy (BLE) subsystem, which relies on `Key1` and `SerialNo` for unlock operations. However, these are derived from the MAC address, which is broadcasted by the device. **Recommendations** For versions prior to 2018-06-12, consider restricting access to the BLE subsystem until a fix is available. As a temporary workaround, avoid using the BLE unlock feature to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** ReadyDesk version 9.1 **Description** A SQL injection issue allows remote attackers to execute arbitrary SQL commands via the `user name` field in the chat/staff/default.aspx page. **Recommendations** For ReadyDesk version 9.1, consider restricting access to the chat/staff/default.aspx page until a patch is available, and avoid using the `user name` field in this context to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** ReadyDesk version 9.1 **Description** The issue allows local users to obtain cleartext SQL Server credentials. This is achieved by reading the SQL Config.aspx file and then decrypting the data using a hardcoded key found in the ReadyDesk.dll file. **Recommendations** For ReadyDesk version 9.1, consider restricting access to the SQL Config.aspx file and the ReadyDesk.dll file to minimize the risk of exploitation. As a temporary workaround, avoid using hardcoded keys for decryption until a patch is available.

**Name of the Vulnerable Software and Affected Versions** ReadyDesk version 9.1 **Description** The issue allows remote attackers to execute arbitrary code by uploading and requesting a .aspx file due to an unrestricted file upload vulnerability in the chat/sendfile.aspx endpoint. **Recommendations** For ReadyDesk version 9.1, consider restricting access to the chat/sendfile.aspx endpoint to prevent arbitrary code execution until a patch is available. As a temporary workaround, restrict file uploads to only necessary file types to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** ReadyDesk version 9.1 **Description** A directory traversal issue exists, allowing remote attackers to read arbitrary files. This is achieved by using a .. (dot dot) in the `SESID` parameter in conjunction with a filename in the `FNAME` parameter in the "chat/openattach.aspx" endpoint. **Recommendations** For ReadyDesk version 9.1, consider restricting access to the "chat/openattach.aspx" endpoint until a patch is available. As a temporary workaround, avoid using the `SESID` and `FNAME` parameters in this endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** RSI Video Technologies Videofied devices using the Frontel protocol version prior to 3 **Description** The issue allows remote attackers to obtain sensitive message or MJPEG video data by sniffing the network, as the Frontel protocol sets up AES encryption but sends all traffic in cleartext. **Recommendations** For versions prior to 3, update the Frontel protocol to version 3 or later to ensure encrypted traffic.

**Name of the Vulnerable Software and Affected Versions** RSI Video Technologies Videofied devices using the Frontel protocol version prior to 3 **Description** The issue concerns the lack of integrity protection in the Frontel protocol, which can be exploited by man-in-the-middle attackers to either initiate a false alarm or deactivate an existing alarm. This is achieved by modifying the client-server data stream. **Recommendations** For versions prior to 3, update the Frontel protocol to version 3 or later to ensure integrity protection is enabled, preventing man-in-the-middle attacks.