CVE-2018-16591

moderate-risk
Published 2018-09-10

FURUNO FELCOM 250 and 500 devices allow unauthenticated users to change the password for the Admin, Log and Service accounts, as well as the password for the protected "SMS" panel via /cgi-bin/sm_changepassword.cgi and /cgi-bin/sm_sms_changepasswd.cgi.

Do I need to act?

~
3.7% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.8/10 Critical
NETWORK / LOW complexity

Affected Products (2)

Felcom 250 Firmware
Felcom 500 Firmware

Affected Vendors

Furuno

References (4)

Exploit https://cyberskr.com/blog/furuno-felcom.html
Third Party Advisory https://gist.github.com/CyberSKR/2c30d964d48b5e1518ded88bd953b710
Exploit https://cyberskr.com/blog/furuno-felcom.html
Third Party Advisory https://gist.github.com/CyberSKR/2c30d964d48b5e1518ded88bd953b710
46
/ 100
moderate-risk
Severity 32/34 · Critical
Exploitability 7/34 · Low
Exposure 7/34 · Low