CVE-2018-18871
CRITICALGigaset Maxwell Basic VoIP Phones 2.22.7 - Unauthenticated Admin Password Change
Title source: llmDescription
Missing password verification in the web interface on Gigaset Maxwell Basic VoIP phones with firmware 2.22.7 would allow a remote attacker (in the same network as the device) to change the admin password without authentication (and without knowing the original password).
References (1)
Core 1
Core References
Exploit, Third Party Advisory x_refsource_misc
https://www.sit.fraunhofer.de/fileadmin/dokumente/CVE/Advisory_Gigaset_Maxwell.pdf?_=1541431343
Scores
CVSS v3
9.8
EPSS
0.0166
EPSS Percentile
73.5%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-640
Status
published
Products (1)
gigasetpro/maxwell_basic_firmware
2.22.7
Published
Dec 20, 2018
Tracked Since
Feb 18, 2026