A critical vulnerability has been identified in multiple products, allowing a remote, unauthenticated attacker to gain complete control of affected devices. The flaw resides in the initial setup wizard, which can be re-accessed after configuration, enabling an attacker to reset administrative credentials and achieve a full system compromise. This represents a severe risk, potentially leading to data breaches, service disruption, and further network infiltration.

The vulnerability exists within the device's commissioning wizard, which is used for initial setup. This wizard fails to implement a check to confirm whether the device has already been initialized and configured. As a result, an unauthenticated remote attacker can send specially crafted POST requests to the wizard's endpoint at any time. This allows the attacker to overwrite the existing root credentials, effectively gaining complete administrative control over the device.

This vulnerability is rated as critical severity with a CVSS score of 9.8. Exploitation could lead to a complete compromise of the affected device, resulting in the loss of confidentiality, integrity, and availability. An attacker could exfiltrate sensitive data, deploy malware or ransomware, disrupt critical services, or use the compromised device as a pivot point to launch further attacks against the internal network. The potential business impact includes significant operational downtime, financial loss, reputational damage, and regulatory penalties.

Immediate Action: The primary remediation is to apply the security update provided by the vendor immediately. Upgrade all affected products to the latest version, which corrects the validation flaw in the commissioning wizard. After patching, it is crucial to review system access logs for any signs of unauthorized credential modification or access.

Proactive Monitoring:

• Log Analysis: Scrutinize web server and application logs for any POST requests directed to setup, commissioning, or initialization API endpoints, particularly from untrusted or external IP addresses.
• Network Traffic: Monitor for unusual traffic patterns to the device's management interface. An alert should be triggered if the setup wizard is accessed after the initial deployment date.
• User Accounts: Regularly audit privileged accounts on the device to detect any unauthorized additions or modifications.

Compensating Controls: If immediate patching is not feasible, implement the following controls to reduce risk:

• Network Segmentation: Restrict all access to the device's management interface using a firewall or Network Access Control Lists (ACLs), permitting connections only from a dedicated, trusted management network or specific IP addresses.
• Port Blocking: If the commissioning wizard runs on a distinct port, block that port at the network edge after the initial setup is complete.
• Web Application Firewall (WAF): Deploy a WAF in front of the device to create a virtual patch that blocks requests to the vulnerable setup endpoints.

Public Exploit Available: False

This vulnerability presents a critical and immediate threat to the organization. Given the CVSS score of 9.8, which signifies a trivial-to-exploit vulnerability leading to full system compromise, patching must be treated as the highest priority. All system owners must apply the vendor-supplied updates without delay. While this CVE is not currently on the CISA KEV list, its characteristics make it a strong candidate for inclusion should widespread exploitation occur. Organizations that cannot patch immediately must implement compensating controls, such as strict network access restrictions to the management plane, to mitigate this severe risk.