CVE-2021-32525
QSAN Storage Manager - Use of Hard-coded Password-2
In short
QSAN Storage Manager contains a hard-coded password in its firmware that allows anyone to log in as an administrator and execute dangerous system commands. This is a critical flaw because attackers can remotely take full control of the storage system.
Technical detail
The vulnerability exists in QSAN Storage Manager firmware due to a hard-coded debug mode password embedded in the application. Remote attackers can authenticate to the control interface with administrator privileges and execute arbitrary system instructions without proper authorization, bypassing authentication mechanisms. Exploitation requires network access to the affected service and knowledge of the hard-coded credential.
Summary generated and translated by AI from the official description.
The same hard-coded password in QSAN Storage Manager's in the firmware allows remote attackers to access the control interface with the administrator’s credential, entering the hard-coded password of the debug mode to execute the restricted system instructions. The referred vulnerability has been solved with the updated version of QSAN Storage Manager v3.3.3.
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Affected products
QSAN · Storage ManagerWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →