Vulnerabilities > CVE-2013-5755 - Credentials Management vulnerability in Yealink Sip-T38G

047910
CVSS 10.0 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
low complexity
yealink
CWE-255
critical
exploit available
NVD
Published: 2014-07-16
Updated: 2016-05-26

Summary

config/.htpasswd in Yealink IP Phone SIP-T38G has a hardcoded password of (1) user (s7C9Cx.rLsWFA) for the user account, (2) admin (uoCbM.VEiKQto) for the admin account, and (3) var (jhl3iZAe./qXM) for the var account, which makes it easier for remote attackers to obtain access via unspecified vectors.

Vulnerable Configurations

Part Description Count
Hardware
Yealink
1

Common Weakness Enumeration (CWE)

Exploit-Db

descriptionYealink VoIP Phone SIP-T38G - Default Credentials. CVE-2013-5755. Remote exploit for hardware platform
fileexploits/hardware/remote/33739.txt
idEDB-ID:33739
last seen2016-02-03
modified2014-06-13
platformhardware
port
published2014-06-13
reporterMr.Un1k0d3r
sourcehttps://www.exploit-db.com/download/33739/
titleYealink VoIP Phone SIP-T38G - Default Credentials
typeremote

Packetstorm

Seebug

  • bulletinFamilyexploit
    descriptionNo description provided by source.
    idSSV:86932
    last seen2017-11-19
    modified2014-07-01
    published2014-07-01
    reporterRoot
    sourcehttps://www.seebug.org/vuldb/ssvid-86932
    titleYealink VoIP Phone SIP-T38G - Remote Command Execution
  • bulletinFamilyexploit
    descriptionNo description provided by source.
    idSSV:86930
    last seen2017-11-19
    modified2014-07-01
    published2014-07-01
    reporterRoot
    sourcehttps://www.seebug.org/vuldb/ssvid-86930
    titleYealink VoIP Phone SIP-T38G - Default Credentials

References