Vulnerability Note VU#992624
Harman AMX multimedia devices contain hard-coded credentials
Multiple models of Harman AMX multimedia devices contain a hard-coded debug account.
CWE-798: Use of Hard-coded Credentials - CVE-2015-8362
According to the researchers' blog post, several models of Harman AMX multimedia devices contain a hard-coded "backdoor" account with administrative permissions. Further details are available in the researchers' vulnerability advisory. AMX firmware release notes indicate this was a debugging account left in the released firmware.
Affected devices include but are not limited to:
An attacker with knowledge of the account credentials can obtain administrative access on the device.
Apply an update AMX has released an update for some devices. Affected users are encouraged to contact Harman's support line for more information on obtaining the update.
Restrict network access
Vendor Information (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Harman||Affected||-||21 Jan 2016|
CVSS Metrics (Learn More)
Thanks to Johannes Greil of SEC Consult for reporting this vulnerability.
This document was written by Garret Wassermann.
- CVE IDs: CVE-2015-8362
- Date Public: 21 Jan 2016
- Date First Published: 21 Jan 2016
- Date Last Updated: 27 Jan 2016
- Document Revision: 39
If you have feedback, comments, or additional information about this vulnerability, please send us email.