Description
FURUNO FELCOM 250 and 500 devices allow unauthenticated access to the xml/permission.xml file containing all of the system's usernames and passwords. This includes the Admin and Service user accounts and their unsalted MD5 hashes, as well as the SMS server password in cleartext.
References (2)
Core 2
Core References
Exploit, Technical Description, Third Party Advisory x_refsource_misc
https://cyberskr.com/blog/furuno-felcom.html
Third Party Advisory x_refsource_misc
https://gist.github.com/CyberSKR/c00eabd6b1d5603d724b615ab358ff31
Scores
CVSS v3
9.8
EPSS
0.0157
EPSS Percentile
72.4%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-200
Status
published
Products (2)
furuno/felcom_250_firmware
furuno/felcom_500_firmware
Published
Sep 10, 2018
Tracked Since
Feb 18, 2026