CVE-2019-25241

Summary

FaceSentry Access Control System 6.4.8 contains a critical authentication vulnerability with hard-coded SSH credentials for the wwwuser account. Attackers can leverage the insecure sudoers configuration to escalate privileges and gain root access by executing sudo commands without authentication.

Affected Software

VendorProductVersion RangeStatus
iWT Ltd.FaceSentry Access Control System6.4.8 build 264affected
iWT Ltd.FaceSentry Access Control System5.7.2 build 568affected
iWT Ltd.FaceSentry Access Control System5.7.0 build 539affected

Weaknesses

  • CWE-798: Use of Hard-coded Credentials

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: yes
    • Technical Impact: total

Additional References

References