CVE-2019-19492
published 2019-12-02CVE-2019-19492: FreeSWITCH 1.6.10 through 1.10.1 has a default password in event_socket.conf.xml.
PriorityP187critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
28.95%
97.9th percentile
FreeSWITCH 1.6.10 through 1.10.1 has a default password in event_socket.conf.xml.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| freeswitch | freeswitch | 1.6.10 – 1.10.1 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for inbound TCP connections to port 8021, which is the default FreeSWITCH Event Socket listener; unexpected external or lateral connections to this port may indicate exploitation attempts. ↗
- →Alert on use of the FreeSWITCH `system` API command over the Event Socket interface, which is the mechanism used to achieve OS command execution in this exploit. ↗
- →Audit event_socket.conf.xml for the presence of a default/unchanged password; authentication with the default credential is a strong indicator of exploitation or pre-exploitation reconnaissance. ↗
- ·The Event Socket service is enabled by default, meaning all unpatched FreeSWITCH installs in the affected version range (1.6.10–1.10.1) are exposed without any additional attacker configuration required. ↗
- ·The CISA advisory notes a separate but related hard-coded credential issue in the Sensormatic victor SIP component (also assigned CVE-2019-19492); this is a local-only, low-complexity vulnerability not exploitable remotely. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-24cv-mgp7-4xjv: FreeSWITCH 1
ghsa_unreviewed·2022-05-24
CVE-2019-19492 [CRITICAL] CWE-798 GHSA-24cv-mgp7-4xjv: FreeSWITCH 1
FreeSWITCH 1.6.10 through 1.10.1 has a default password in event_socket.conf.xml.
VulnCheck
freeswitch freeswitch Use of Hard-coded Credentials
vulncheck·2019·CVSS 9.8
CVE-2019-19492 [CRITICAL] freeswitch freeswitch Use of Hard-coded Credentials
freeswitch freeswitch Use of Hard-coded Credentials
FreeSWITCH 1.6.10 through 1.10.1 has a default password in event_socket.conf.xml.
Affected: freeswitch freeswitch
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.bitsight.com/blog/rondodox-botnet-infrastructure-analysis
Exploit PoC: https://vulncheck.com/xdb/ef206f8b558b; https://vulncheck.com/xdb/5c7a456ef6e8; https://vulncheck.com/xdb/6eba52e51c94
CISA ICS
Sensormatic Electronics victor
cisa_ics·2021-10-29·CVSS 9.8
[CRITICAL] Sensormatic Electronics victor
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
Sensormatic Electronics victor
Last RevisedOctober 29, 2021
Alert CodeICSA-21-301-01
## 1. EXECUTIVE SUMMARY
- CVSS v3 7.8
- ATTENTION: Low attack complexity
- Vendor: Sensormatic Electronics, LLC, a subsidiary of Johnson Controls, Inc.
- Equipment: victor
- Vulnerability: Use of Hard-coded Credentials
## 2. RISK EVALUATION
Successful exploitation of this vulnerability could allow an unauthorized elevation of privileges.
## 3. TECHNICAL DETAILS
## 3.1 AFFECTED PRODUCTS
The following versions of victor, a video management system, are affected:
- victor: Versions 5.7 and
No detection rules found.
No writeups or analysis indexed.
2019-12-02
Published
Exploited in the wild