Use of Hard-coded Password in Philips products - CVE-2019-13530
Published: September 13, 2019
Vulnerability identifier: #VU21104
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2019-13530
CWE-ID: CWE-259
Exploitation vector: Adjecent network
Exploit availability:
No public exploit available
Vendor: Philips
Affected software:
IntelliVue MX600
IntelliVue MX700
IntelliVue MX800
IntelliVue MPX2
IntelliVue MP2
IntelliVue MP5SC
IntelliVue MP5
IntelliVue MP90
IntelliVue MP80
IntelliVue MP70
IntelliVue MP60
IntelliVue MP50
IntelliVue MP40
IntelliVue MP30
IntelliVue MP20
IntelliVue MX600
IntelliVue MX700
IntelliVue MX800
IntelliVue MPX2
IntelliVue MP2
IntelliVue MP5SC
IntelliVue MP5
IntelliVue MP90
IntelliVue MP80
IntelliVue MP70
IntelliVue MP60
IntelliVue MP50
IntelliVue MP40
IntelliVue MP30
IntelliVue MP20
Detailed vulnerability description
The vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to the software contains a hard-coded password, which it uses for its own inbound authentication or for outbound communication to external components. A remote attacker can use these credentials to login via ftp and upload a malicious firmware.
How to mitigate CVE-2019-13530
This vulnerability was fixed only in the WLAN Version C.