FydeOS for PC 17.1 R114, FydeOS for VMware 17.0 R114, FydeOS for You 17.1 R114, and OpenFyde R114 were discovered to be configured with the root password saved as a wildcard. This allows attackers to gain root access without a password.
The vulnerability results from incorrect factory configuration — the root account password was configured as a wildcard instead of a strong, random password. CWE-259 describes the use of hard-coded passwords; in this case, the wildcard acts as a password that accepts any or no authentication. Anyone with network or local access to the system can log in as root, bypassing the standard authentication mechanism.
The attacker gains full root privileges, providing complete control over the system — ability to read and modify data, install software, change configuration, and permanently compromise the device.
Apply patches available from the manufacturer according to the references (https://fydeos.io/, https://openfyde.io/). Until an update is applied, it is recommended to manually set a strong password for the root account and restrict access to the system at the network and physical level.
FydeOS for PC 17.1 R114, FydeOS for VMware 17.0 R114, FydeOS for You 17.1 R114, and OpenFyde R114
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H