Hard-coded, system-level credentials exist on the Ruckus IoT Controller OVA image, and are exposed to attackers who mount the filesystem.
An undocumented, administrative-level, hard-coded web application account exists in the IoT Controller OVA which cannot be changed by the customer.
A Python script (web.py) for a Dockerized webservice contains a directory traversal vulnerability, which can be leveraged by an authenticated attacker to view the contents of directories on the IoT…
The IoT Controller web application includes a NodeJS module, node-red, which has the capability for users to read or write to local files on the IoT Controller. With the elevated…
An upgrade account is included in the IoT Controller OVA that provides the vendor undocumented access via Secure Copy (SCP).
http://nongwalocal.go.th/pun10.html notified by Anonymous_R
http://sanhai.go.th/pun10.html notified by Anonymous_R
http://sobkhong.go.th/pun10.html notified by Anonymous_R
http://maiya.go.th/pun10.html notified by Anonymous_R
http://doitao.go.th/pun10.html notified by Anonymous_R