Cyber Resilience

CVE-2023-38433

High

Published: 26 July 2023

Published
26 July 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.5320 98.0th percentile
Risk Priority 47 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-38433 is a high-severity Use of Hard-coded Credentials (CWE-798) vulnerability in Fujitsu Ip-He950E Firmware. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 2.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2023-38433 is a hard-coded credentials vulnerability (CWE-798) affecting Fujitsu Real-time Video Transmission Gear IP series products. The impacted devices and firmware ranges include IP-HE950E and IP-HE950D (V01L001–V01L053), IP-HE900E (V01L001–V01L010), IP-HE900D (V01L001–V01L004), multiple IP-900/IP-920 variants (V01L001–V02L061), IP-90 (V01L001–V01L013), and IP-9610 (V01L001–V02L007). The flaw carries a CVSS 3.1 score of 7.5 with network attack vector, low complexity, and high availability impact.

A remote unauthenticated attacker can supply the embedded credentials to initialize or reboot affected units, immediately terminating ongoing video transmission without any user interaction or authentication.

Vendor and JVN advisories direct administrators to the Fujitsu download site for firmware updates that address the issue across the listed product lines. The associated EPSS score stands at 0.5320 with no indicated change since disclosure.

EU & UK References

Vulnerability details

Fujitsu Real-time Video Transmission Gear "IP series" use hard-coded credentials, which may allow a remote unauthenticated attacker to initialize or reboot the products, and as a result, terminate the video transmission. Affected products and versions are as follows: IP-HE950E firmware…

more

versions V01L001 to V01L053, IP-HE950D firmware versions V01L001 to V01L053, IP-HE900E firmware versions V01L001 to V01L010, IP-HE900D firmware versions V01L001 to V01L004, IP-900E / IP-920E firmware versions V01L001 to V02L061, IP-900D / IP-900ⅡD / IP-920D firmware versions V01L001 to V02L061, IP-90 firmware versions V01L001 to V01L013, and IP-9610 firmware versions V01L001 to V02L007.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

fujitsu
ip-he950e firmware
v01l001 — v01l053
fujitsu
ip-he950d firmware
v01l001 — v01l053
fujitsu
ip-he900e firmware
v01l001 — v01l010
fujitsu
ip-he900d firmware
v01l001 — v01l004
fujitsu
ip-900e firmware
v01l001 — v02l061
fujitsu
ip-920e firmware
v01l001 — v02l061
fujitsu
ip-900d firmware
v01l001 — v02l061
fujitsu
ip-900iid firmware
v01l001 — v02l061
fujitsu
ip-920d firmware
v01l001 — v02l061
fujitsu
ip-90 firmware
v01l001 — v01l013
+1 more product configuration(s) — see NVD for full list

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-798

Enables users to notice when hard-coded credentials have been exploited for unauthorized access.

addresses: CWE-798

Security training explicitly warns against hard-coded credentials, lowering their use in systems.

addresses: CWE-798

Policy and procedures prohibit hard-coded credentials in favor of managed authentication.

addresses: CWE-798

External identity providers eliminate the need for hard-coded credentials in applications.

addresses: CWE-798

Changing default authenticators prior to first use and protecting content prevents use of hard-coded credentials.

addresses: CWE-798

Central credential stores and rotation policies remove the need for hard-coded credentials in configuration files or code.

addresses: CWE-798

Intelligence programs surface reports of campaigns that abuse hard-coded credentials in products, prompting removal or replacement and thereby reducing successful exploitation.

addresses: CWE-798

Planned investment enables secure credential storage and management systems instead of hard-coded credentials.

References