CVE-2020-28331

Name of the Vulnerable Software and Affected Versions Barco wePresent WiPG-1600W version 2.5.1.8

Description The issue concerns improper access control in the Barco wePresent WiPG-1600W device. The device includes an SSH daemon in its firmware image, which is disabled by default and does not start at system boot. However, a malicious actor can manipulate the device configuration by including a specific variable in a POST request, causing the SSH daemon to start when the device boots. This could potentially allow unauthorized access to the device.

Recommendations For version 2.5.1.8, as a temporary workaround, consider disabling any functionality that could be used to start the SSH daemon until a patch is available. Restrict access to the device's configuration to minimize the risk of exploitation. Avoid using the web interface to alter the device configuration until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.