Description
MinMax CMS from MinMax Digital Technology contains a hidden administrator account with a fixed password that cannot be removed or disabled from the management interface. Remote attackers who obtain this account can bypass IP access control restrictions and log in to the backend system without being recorded in the system logs.
References (4)
Core 4
Core References
Various Sources third-party-advisory
https://www.twcert.org.tw/tw/cp-132-7828-c08b8-1.html
Various Sources third-party-advisory
https://www.twcert.org.tw/en/cp-139-7831-b9a46-2.html
Various Sources third-party-advisory
https://www.chtsecurity.com/news/2dde8d39-59fc-4c09-b4ad-0acf692321c5
Various Sources third-party-advisory
https://www.chtsecurity.com/news/6b2393f5-3041-4011-b2ea-528e312c6b3c
Scores
CVSS v3
9.8
EPSS
0.0065
EPSS Percentile
46.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
total
Details
CWE
CWE-798
CWE-912
Status
published
Products (1)
MinMax Digital Technology/MinMax CMS
Published
May 30, 2024
Tracked Since
Feb 18, 2026