#VU12294 Credentials management in ZyXEL PK5001Z - CVE-2016-10401
Published: April 30, 2018 / Updated: September 14, 2018
Vulnerability identifier: #VU12294
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Clear
CVE-ID: CVE-2016-10401
CWE-ID: CWE-255
Exploitation vector: Remote access
Exploit availability:
Public exploit is available
Vulnerable software:
ZyXEL PK5001Z
ZyXEL PK5001Z
Software vendor:
ZyXEL Communications Corp.
ZyXEL Communications Corp.
Description
The vulnerability allows a remote attacker to gain elevated privileges on the target system.
The weakness exists due to ZyXEL PK5001Z devices have zyad5001 as the su password. A remote attacker can gain root access if a non-root account password is known or a non-root default account exists within an ISP's deployment of the devices.
The weakness exists due to ZyXEL PK5001Z devices have zyad5001 as the su password. A remote attacker can gain root access if a non-root account password is known or a non-root default account exists within an ISP's deployment of the devices.
Remediation
Install update from vendor's website.