cbcvebase.
CVE-2023-38433
published 2023-07-26

CVE-2023-38433: Fujitsu Real-time Video Transmission Gear "IP series" use hard-coded credentials, which may allow a remote unauthenticated attacker to initialize or reboot the…

PriorityP179high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
2.99%
85.6th percentile
Fujitsu Real-time Video Transmission Gear "IP series" use hard-coded credentials, which may allow a remote unauthenticated attacker to initialize or reboot the products, and as a result, terminate the video transmission. Affected products and versions are as follows: IP-HE950E firmware versions V01L001 to V01L053, IP-HE950D firmware versions V01L001 to V01L053, IP-HE900E firmware versions V01L001 to V01L010, IP-HE900D firmware versions V01L001 to V01L004, IP-900E / IP-920E firmware versions V01L001 to V02L061, IP-900D / IP-900ⅡD / IP-920D firmware versions V01L001 to V02L061, IP-90 firmware versions V01L001 to V01L013, and IP-9610 firmware versions V01L001 to V02L007.

Affected

19 ranges
VendorProductVersion rangeFixed in
fujitsuip-900d_firmwarev01l001 – v02l061
fujitsuip-900e_firmwarev01l001 – v02l061
fujitsuip-900iid_firmwarev01l001 – v02l061
fujitsuip-90_firmwarev01l001 – v01l013
fujitsuip-920d_firmwarev01l001 – v02l061
fujitsuip-920e_firmwarev01l001 – v02l061
fujitsuip-9610_firmwarev01l001 – v02l007
fujitsuip-he900d_firmwarev01l001 – v01l004
fujitsuip-he900e_firmwarev01l001 – v01l010
fujitsuip-he950d_firmwarev01l001 – v01l053
fujitsuip-he950e_firmwarev01l001 – v01l053
fujitsu_limitedip-90
fujitsu_limitedip-900d_ip-900_d_ip-920d
fujitsu_limitedip-900e_ip-920e
fujitsu_limitedip-9610
fujitsu_limitedip-he900d
fujitsu_limitedip-he900e
fujitsu_limitedip-he950d
fujitsu_limitedip-he950e

Detection & IOCsextracted from sources · hover to see the quote

url/b_download/index.html
otherusername: fedish264pro, password: h264pro@broadsight
otherusername: fedish265pro, password: h265pro@broadsight
otherServer: thttpd/2.25b 29dec2003
  • Shodan fingerprint for exposed Fujitsu IP Series devices: match on Server header 'thttpd/2.25b 29dec2003' combined with content-length of 1133
  • Successful exploitation returns HTTP 200 with body containing the string 'Field Support' on the /b_download/index.html endpoint when authenticated with hardcoded credentials
  • Attack uses HTTP Basic Authentication (Base64-encoded) with hardcoded credential pairs against /b_download/index.html; monitor for repeated Basic Auth attempts to this path from unauthenticated remote sources
  • The hardcoded credentials are intended for factory testing and may be obtained via reverse engineering; they provide administrative access and cannot be changed by the end-user
  • ·Two distinct hardcoded credential pairs exist — one for H.264 and one for H.265 product variants; both must be tested during assessments
  • ·CISA assigned CVSS v3 base score of 5.9 (AV:N/AC:H) due to high attack complexity, differing from the NVD/template score of 7.5 (AV:N/AC:L); defenders should note the discrepancy when prioritising
  • ·Exploitation allows an attacker to initialize or reboot the device, terminating video transmission — impact is availability-focused on the video feed, not code execution

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.