1. EXECUTIVE SUMMARY
- CVSS v4 9.3
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Consilium Safety
- Equipment: CS5000 Fire Panel
- Vulnerabilities: Initialization of a Resource with an Insecure Default, Use of Hard-coded Credentials
2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to gain high-level access to and remotely operate the device, potentially putting it into a non-functional state.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following Consilium Safety product is affected:
- CS5000 Fire Panel: All versions
3.2 VULNERABILITY OVERVIEW
3.2.1 INITIALIZATION OF A RESOURCE WITH AN INSECURE DEFAULT CWE-1188
The CS5000 Fire Panel is vulnerable due to a default account that exists on the panel. Even though it is possible to change this by SSHing into the device, it has remained unchanged on every installed system observed. This account is not root but holds high-level permissions that could severely impact the device’s operation if exploited.
CVE-2025-41438 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2025-41438. A base score of 9.3 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
Content was cut in order to protect the source.Please visit the source for the rest of the article.
This article has been indexed from All CISA Advisories
Read the original article:
Read the original article: