cbcvebase.
CVE-2017-12928
published 2017-09-21

CVE-2017-12928: A hard-coded password of tecn0visi0n for the dlxuser account in TecnoVISION DLX Spot Player4 (all known versions) allows remote attackers to log in via SSH and…

PriorityP270critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
2.95%
85.4th percentile
A hard-coded password of tecn0visi0n for the dlxuser account in TecnoVISION DLX Spot Player4 (all known versions) allows remote attackers to log in via SSH and escalate privileges to root access with the same credentials.

Detection & IOCsextracted from sources · hover to see the quote

otherusername: dlxuser / password: tecn0visi0n
commandssh dlxuser@<host> (password: tecn0visi0n)
urlhttp://host/resource.php
urlhttp://host/resource/source/shell.php?c=id
path/resource.php
path/resource/source/shell.php
  • Detect SSH login attempts using the hardcoded credential 'dlxuser' with password 'tecn0visi0n'; successful logins to this account on any device should be treated as compromise indicators.
  • Monitor for privilege escalation from 'dlxuser' to root immediately after SSH login, as the same password 'tecn0visi0n' is used for both.
  • Alert on HTTP POST requests to '/resource.php' on DlxSpot Player4 hosts, which is the file upload endpoint abused for arbitrary PHP shell upload leading to RCE.
  • Detect HTTP GET requests to '/resource/source/*.php' with query parameters (e.g., '?c='), indicating execution of an uploaded web shell.
  • Hunt for the SQL injection bypass string "x' or 'x'='x" in HTTP login request bodies targeting the DlxSpot admin interface.
  • Use the Google dork '"DlxSpot - Player4"' to identify internet-exposed instances of the vulnerable product for asset discovery.
  • ·The hardcoded SSH credential affects ALL known versions of TecnoVISION DLX Spot Player4, not just a specific release; there is no patched version referenced in the sources.
  • ·The SQL injection and arbitrary file upload vulnerabilities affect versions above 1.5.10 only, while the hardcoded SSH backdoor (CVE-2017-12928) affects all known versions.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.