A critical API flaw allows unauthenticated attackers to remotely reset device passwords, granting them full control over the affected hardware.

The device exposes an unprotected API endpoint that does not require authentication for password modification. This allows a remote, unauthenticated attacker to submit a password change request and lock out legitimate administrators.

This vulnerability poses a severe risk of total device lockout and unauthorized takeover. By changing the administrative password, an attacker can gain full access to the device's settings and data. The CVSS score of 9.8 reflects the high impact on availability and integrity, as the attack is trivial to perform.

Immediate Action: Apply the vendor-provided patch immediately to secure the API endpoint and enforce authentication for all administrative actions.

Proactive Monitoring: Monitor API logs for password change requests originating from unexpected or external IP addresses.

Compensating Controls: Disable access to the management API from the public internet and place the affected devices behind a secure gateway or VPN.

Public Exploit Available: No

The ability to change administrative credentials without authentication is a fundamental security failure. Immediate patching is the only effective solution. Organizations should also perform a credential audit to ensure that passwords have not already been modified by unauthorized parties.