CVE-2023-37755

CRITICAL

i-doit < 25 - Use of Hard-coded Credentials

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2023-37755. PoCs published by leekenghwa.

AI-analyzed exploit summary This repository documents CVE-2023-37755, a hardcoded admin credential vulnerability in i-doit Pro 25 and below. The vulnerability allows authentication bypass using the default credentials 'admin:admin'.

Description

i-doit pro 25 and below and I-doit open 25 and below are configured with insecure default administrator credentials, and there is no warning or prompt to ask users to change the default password and account name. Unauthenticated attackers can exploit this vulnerability to obtain Administrator privileges, resulting in them being able to perform arbitrary system operations or cause a Denial of Service (DoS).

Exploits (1)

nomisec WRITEUP
by leekenghwa · poc
https://github.com/leekenghwa/CVE-2023-37755---Hardcoded-Admin-Credential-in-i-doit-Pro-25-and-below

This repository documents CVE-2023-37755, a hardcoded admin credential vulnerability in i-doit Pro 25 and below. The vulnerability allows authentication bypass using the default credentials 'admin:admin'.

Classification
Writeup 90%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: i-doit Pro 25 and below
No auth needed
Prerequisites: Access to the login page of i-doit Pro
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Scores

CVSS v3 9.8
EPSS 0.0109
EPSS Percentile 61.2%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact total

Details

CWE
CWE-798
Status published
Products (1)
i-doit/i-doit < 25 (2 CPE variants)
Published Sep 14, 2023
Tracked Since Feb 18, 2026