Impact
The vulnerability in Vantage6 allows the creation of an initial administrative account with the username 'root' and the password 'root'. This weak default credential pair is hard‑coded, making it simple for an attacker who can reach the service to authenticate as a privileged user. Once authenticated, the attacker can perform any administrative operation, leading to a full compromise of the system.
Affected Systems
All Vantage6 deployments using versions prior to 5.0.0 are affected. The issue is fixed in release 5.0.0, which removes or changes the default credentials.
Risk and Exploitability
The CVSS score of 6.9 indicates moderate severity, while the EPSS score of less than 1 percent suggests that exploitations are currently rare. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. The likely attack vector is remote access to the Vantage6 API or web interface, enabling an attacker to authenticate instantly and gain full administrative control. No special prerequisites are required beyond network reachability.
OpenCVE Enrichment
Github GHSA