Taiko AG1000-01A SMS Alert Gateway Hard-Coded Credential Vulnerability

A hard-coded credential vulnerability has been identified in the Taiko AG1000-01A SMS Alert Gateway, specifically in versions Rev 7.3 and Rev 8. The vulnerability exists within the embedded web configuration interface, where authentication is solely managed through client-side JavaScript in the file 'login.zhtml'. This implementation exposes static plaintext credentials in the page source. Unauthenticated attackers with network access can extract administrative credentials from the client-side 'validate()' function, gaining full administrative access to the device.

Impact

Exploitation of this vulnerability allows unauthenticated attackers with network access to retrieve plaintext administrative credentials, leading to complete administrative control over the device. This access includes the ability to modify configuration settings, disrupt operational functions by altering alarm parameters or SMS alert routing, and access sensitive event log information.

Reproduction

The vulnerability can be reproduced by accessing the web configuration interface of the Taiko AG1000-01A SMS Alert Gateway. The 'login.zhtml' page can be reached over the local network. Once the page is loaded, the client-side 'validate()' function can be inspected to reveal the hard-coded administrative credentials, which are exposed in plaintext. These credentials can then be used to log in and gain full administrative access to the device.

Remediation

No official patch is available for this vulnerability, as the vendor appears to be inactive. Organizations using the Taiko AG1000-01A SMS Alert Gateway should immediately isolate the device from internet-facing networks, place it in a non-routing Management VLAN, and require secure VPN access for remote configuration.