Use of hard-coded credentials in GE products - CVE-2020-6963
Published: January 24, 2020
Vulnerability identifier: #VU24505
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2020-6963
CWE-ID: CWE-798
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: GE
Affected software:
ApexPro Telemetry Server
CARESCAPE Telemetry Server
Clinical Information Center (CIC)
CARESCAPE Central Station (CSCS)
ApexPro Telemetry Server
CARESCAPE Telemetry Server
Clinical Information Center (CIC)
CARESCAPE Central Station (CSCS)
Detailed vulnerability description
The vulnerability allows a remote attacker to gain full access to vulnerable system.
The vulnerability exists due to the affected products utilized hard coded SMB credentials. A remote unauthenticated attacker can access the affected system using the hard-coded credentials and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note: This vulnerability affects the following versions of CIC and CSCS:
- Clinical Information Center (CIC), Versions 4.X and 5.X
- CARESCAPE Central Station (CSCS), Versions 1.X
How to mitigate CVE-2020-6963
Cybersecurity Help is currently unaware of any official solution to address this vulnerability.