PT-2020-11973 · Amino Communications · Amino Communications Aria6Xx Series+6
Published
2020-12-29
·
Updated
2021-01-14
·
CVE-2020-10207
CVSS v2.0
10
High
| Vector | AV:N/AC:L/Au:N/C:C/I:C/A:C |
Name of the Vulnerable Software and Affected Versions
Amino Communications AK45x series
Amino Communications AK5xx series
Amino Communications AK65x series
Amino Communications Aria6xx series
Amino Communications Aria7/AK7Xx series
Amino Communications Kami7B
Description
The issue concerns the use of hard-coded credentials in EntoneWebEngine, allowing remote attackers to retrieve and modify device settings.
Recommendations
For Amino Communications AK45x series, consider disabling remote access to the device until a fix is available.
For Amino Communications AK5xx series, restrict access to the device settings to minimize the risk of exploitation.
For Amino Communications AK65x series, avoid using the default credentials for the EntoneWebEngine.
For Amino Communications Aria6xx series, change the default credentials to custom ones to prevent unauthorized access.
For Amino Communications Aria7/AK7Xx series, limit the access to the device settings through the EntoneWebEngine.
For Amino Communications Kami7B, disable the EntoneWebEngine if possible, until a secure solution is implemented.
Exploit
Fix
Using Hardcoded Credentials
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Amino Communications Ak45X Series
Amino Communications Ak5Xx Series
Amino Communications Ak65X Series
Amino Communications Aria6Xx Series
Amino Communications Aria7/Ak7Xx Series
Amino Communications Kami7B
Entonewebengine