cbcvebase.
CVE-2025-46352
published 2025-05-30

CVE-2025-46352: The CS5000 Fire Panel is vulnerable due to a hard-coded password that runs on a VNC server and is visible as a string in the binary responsible for running…

PriorityP260critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.69%
48.1th percentile
The CS5000 Fire Panel is vulnerable due to a hard-coded password that runs on a VNC server and is visible as a string in the binary responsible for running VNC. This password cannot be altered, allowing anyone with knowledge of it to gain remote access to the panel. Such access could enable an attacker to operate the panel remotely, potentially putting the fire panel into a non-functional state and causing serious safety issues.

Affected

1 ranges
VendorProductVersion rangeFixed in
consilium_safetycs5000_fire_panel

Detection & IOCsextracted from sources · hover to see the quote

  • The CS5000 Fire Panel runs a VNC server with a hard-coded password that is visible as a plaintext string in the binary responsible for running VNC. Inspect the VNC server binary on CS5000 panels for embedded credential strings.
  • The hard-coded VNC password cannot be changed; any VNC authentication attempt to a CS5000 Fire Panel using the embedded credential should be treated as suspicious and investigated regardless of source.
  • A separate default high-privilege account exists on the CS5000 Fire Panel accessible via SSH. Monitor for SSH logins to CS5000 panels, especially with default credentials, as this account has been found unchanged on every observed installed system.
  • All CS5000 Fire Panel versions prior to R1.17.1 are affected. Alert on network traffic to/from unpatched CS5000 panels (versions < R1.17.1) on VNC ports.
  • ·Exploitation requires local/adjacent network access; the CVSS attack vector was updated from AV:N to AV:L, meaning these vulnerabilities are NOT remotely exploitable over the internet.
  • ·The hard-coded VNC password is embedded in the VNC server binary and cannot be changed by the operator, making patching to R1.17.1 the only remediation for CVE-2025-46352.
  • ·Software update R1.17.1 is not available for public download; asset owners must obtain it through their Consilium representative or local support office.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.