Anevia Flamingo XL/XS Default Hardcoded Credentials Vulnerability

A critical vulnerability exists in Anevia Flamingo XL/XS versions 3.6.20 and 3.2.9, due to weak default administrative credentials that are hardcoded and easily guessable. This vulnerability allows remote attackers to gain full control of the system without complex authentication. The issue was discovered in a live environment running on GNU/Linux 3.14.29 (x86_64) with Apache/2.2.22 (Debian) and PHP/5.6.0.

Impact

Exploitation of this vulnerability allows for unauthorized access to the system, with full administrative privileges, enabling the attacker to control the system remotely.

Reproduction

The vulnerability can be reproduced by attempting to log in to the device's web interface or via SSH using the default hardcoded credentials. The web interface credentials are 'admin' and 'paris' or 'monitor' and 'anevia'. For SSH access, the username 'root' with the password 'anevia' can be used.