Description
Baicells Nova 227, Nova 233, and Nova 243 LTE TDD eNodeB devices with firmware through RTS/RTD 3.7.11.3 have hardcoded credentials that are easily discovered and can be used by remote attackers to authenticate via ssh. (The credentials are stored in the firmware, encrypted by the crypt function.)
References (3)
Core 3
Core References
Patch, Vendor Advisory vendor-advisory
https://baicells.zendesk.com/hc/en-us/articles/6188324645780-2023-1-17-Hard-Coded-Credential-Crypt-Vulnerability
Release Notes, Vendor Advisory patch
https://img.baicells.com//Upload/20230118/FILE/BaiBS_RTS_3.7.11.6.IMG.IMG
Release Notes, Vendor Advisory release-notes
https://img.baicells.com//Upload/20230118/FILE/BaiBS_RTS_3.7.11.6_Changelog.PDF.pdf
Scores
CVSS v3
10.0
EPSS
0.0156
EPSS Percentile
72.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
total
Details
CWE
CWE-284
CWE-798
Status
published
Products (2)
baicells/rtd_firmware
< 3.7.11.6
baicells/rts_firmware
< 3.7.11.6
Published
Jan 26, 2023
Tracked Since
Feb 18, 2026