CVE-2018-16591
CRITICALFURUNO FELCOM 250 and 500 - Unauthenticated Password Change via sm_changepassword.cgi and sm_sms_changepasswd.cgi
Title source: llmDescription
FURUNO FELCOM 250 and 500 devices allow unauthenticated users to change the password for the Admin, Log and Service accounts, as well as the password for the protected "SMS" panel via /cgi-bin/sm_changepassword.cgi and /cgi-bin/sm_sms_changepasswd.cgi.
References (2)
Core 2
Core References
Exploit, Technical Description, Third Party Advisory x_refsource_misc
https://cyberskr.com/blog/furuno-felcom.html
Third Party Advisory x_refsource_misc
https://gist.github.com/CyberSKR/2c30d964d48b5e1518ded88bd953b710
Scores
CVSS v3
9.8
EPSS
0.0216
EPSS Percentile
80.0%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-862
Status
published
Products (2)
furuno/felcom_250_firmware
furuno/felcom_500_firmware
Published
Sep 10, 2018
Tracked Since
Feb 18, 2026