CVE-2023-37755

CRITICAL

I-doit < 25 - Hard-coded Credentials

Title source: rule

Description

i-doit pro 25 and below and I-doit open 25 and below are configured with insecure default administrator credentials, and there is no warning or prompt to ask users to change the default password and account name. Unauthenticated attackers can exploit this vulnerability to obtain Administrator privileges, resulting in them being able to perform arbitrary system operations or cause a Denial of Service (DoS).

Exploits (1)

nomisec WRITEUP

by leekenghwa · poc

https://github.com/leekenghwa/CVE-2023-37755---Hardcoded-Admin-Credential-in-i-doit-Pro-25-and-below

View Code ZIP pw:eip

References (3)

[Various Sources] https://medium.com/%40ray.999/d7a54030e055

[Various Sources] https://medium.com/%40ray.999/i-doit-v25-and-below-incorrect-access-control-issue-cve-2023-37755-d7a54030e055

[Exploit, Third Party Advisory] https://github.com/leekenghwa/CVE-2023-37755---Hardcoded-Admin-Credential-in-i-doit-Pro-25-and-below/blob/main/README.md

Scores

CVSS v3 9.8

EPSS 0.0143

EPSS Percentile 80.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-798

Status published

Products (1)

i-doit/i-doit < 25 (2 CPE variants)

Published Sep 14, 2023

Tracked Since Feb 18, 2026