GNCC GP5 v7.1.76 was discovered to utilize a weak hashing algorithm to protect the root password, possibly allowing attackers to obtain root credentials and privileges via a bruteforce attack.
The vulnerability results from the use of a weak (cryptographically insecure) hashing algorithm (CWE-328) to store the root account password on the device. Obtaining access to the stored password hash — for example, by reading the password file — allows an attacker to conduct a brute-force attack and recover the original password in an acceptable timeframe. After obtaining the root password, the attacker can log in to the device with the highest privileges.
An attacker can obtain full administrator (root) privileges on the device, enabling arbitrary system modifications, installation of malicious software, or use of the device as an entry point to the network.
Patches available from the manufacturer should be applied in accordance with the references. It is also recommended to change the default root password to a strong, unique password and restrict device access at the network level.
GNCC GP5 version v7.1.76
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H