CVE-2023-38433
Published: 26 July 2023
Summary
CVE-2023-38433 is a high-severity Use of Hard-coded Credentials (CWE-798) vulnerability in Fujitsu Ip-He950E Firmware. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 2.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2023-38433 is a hard-coded credentials vulnerability (CWE-798) affecting Fujitsu Real-time Video Transmission Gear IP series products. The impacted devices and firmware ranges include IP-HE950E and IP-HE950D (V01L001–V01L053), IP-HE900E (V01L001–V01L010), IP-HE900D (V01L001–V01L004), multiple IP-900/IP-920 variants (V01L001–V02L061), IP-90 (V01L001–V01L013), and IP-9610 (V01L001–V02L007). The flaw carries a CVSS 3.1 score of 7.5 with network attack vector, low complexity, and high availability impact.
A remote unauthenticated attacker can supply the embedded credentials to initialize or reboot affected units, immediately terminating ongoing video transmission without any user interaction or authentication.
Vendor and JVN advisories direct administrators to the Fujitsu download site for firmware updates that address the issue across the listed product lines. The associated EPSS score stands at 0.5320 with no indicated change since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-42250
Vulnerability details
Fujitsu Real-time Video Transmission Gear "IP series" use hard-coded credentials, which may allow a remote unauthenticated attacker to initialize or reboot the products, and as a result, terminate the video transmission. Affected products and versions are as follows: IP-HE950E firmware…
more
versions V01L001 to V01L053, IP-HE950D firmware versions V01L001 to V01L053, IP-HE900E firmware versions V01L001 to V01L010, IP-HE900D firmware versions V01L001 to V01L004, IP-900E / IP-920E firmware versions V01L001 to V02L061, IP-900D / IP-900ⅡD / IP-920D firmware versions V01L001 to V02L061, IP-90 firmware versions V01L001 to V01L013, and IP-9610 firmware versions V01L001 to V02L007.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Enables users to notice when hard-coded credentials have been exploited for unauthorized access.
Security training explicitly warns against hard-coded credentials, lowering their use in systems.
Policy and procedures prohibit hard-coded credentials in favor of managed authentication.
External identity providers eliminate the need for hard-coded credentials in applications.
Changing default authenticators prior to first use and protecting content prevents use of hard-coded credentials.
Central credential stores and rotation policies remove the need for hard-coded credentials in configuration files or code.
Intelligence programs surface reports of campaigns that abuse hard-coded credentials in products, prompting removal or replacement and thereby reducing successful exploitation.
Planned investment enables secure credential storage and management systems instead of hard-coded credentials.