Multiple Seagate wireless storage products contain multiple vulnerabilities.
CWE-798: Use of Hard-coded Credentials - CVE-2015-2874
Some Seagate wireless storage products provide undocumented Telnet services accessible by using the default credentials of 'root' as username and the default password.
A remote unauthenticated attacker may access arbitrary files on the storage device, or gain root access to the device.
Update the firmware
Seagate Technology LLC
Thanks to Mike Baucom, Allen Harper, and J. Rach of Tangible Security for reporting this vulnerability to us. Tangible Security would also like to publically thank Seagate for their cooperation and desire to make their products and customers more secure. Also thanks to KoreLogic for reporting the GoFlex Satellite vulnerability to Seagate and working with Seagate on a resolution.
This document was written by Garret Wassermann.