First Corporation's DVRs use a hard-coded password, which may allow a remote unauthenticated attacker to rewrite or obtain the configuration information of the affected device. Note that updates are provided only for Late model of CFR-4EABC, CFR-4EAB, CFR-8EAB, CFR-16EAB, MD-404AB, and MD-808AB. As for the other products, apply the workaround.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| c-first | cfr-16eaa_firmware | - |
| c-first | cfr-4eabc_firmware | - |
| c-first | cfr-16ehd_firmware | - |
| c-first | cfr-16eab_firmware | - |
| c-first | cfr-8eha_firmware | - |
| c-first | cfr-1004ea_firmware | - |
| c-first | md-808ha_firmware | - |
| c-first | cfr-4eaam_firmware | - |
| c-first | md-404ab_firmware | - |
| c-first | cfr-8eab_firmware | - |
| c-first | cfr-16eha_firmware | - |
| c-first | md-404hd_firmware | - |
| c-first | cfr-8eaa_firmware | - |
| c-first | cfr-4eha_firmware | - |
| c-first | cfr-8ehd_firmware | - |
| c-first | cfr-1016ea_firmware | - |
| c-first | cfr-4ehd_firmware | - |
| c-first | md-808aa_firmware | - |
| c-first | cfr-904e_firmware | - |
| c-first | md-404ha_firmware | - |
| c-first | cfr-4eaa_firmware | - |
| c-first | cfr-908e_firmware | - |
| c-first | md-808ab_firmware | - |
| c-first | md-404aa_firmware | - |
| c-first | cfr-916e_firmware | - |
| c-first | cfr-1008ea_firmware | - |
| c-first | md-808hd_firmware | - |
| c-first | cfr-4eab_firmware | - |
Missing authentication for critical function vulnerability in First Corporation's DVRs allows a remote unauthenticated attacker to rewrite or obtain the configuration information of the affected device. Note that updates are provided only for Late model of CFR-4EABC, CFR-4EAB, CFR-8EAB, CFR-16EAB, MD-404AB, and MD-808AB. As for the other products, apply the workaround.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| c-first | cfr-16eaa_firmware | - |
| c-first | cfr-4eabc_firmware | - |
| c-first | cfr-16ehd_firmware | - |
| c-first | cfr-16eab_firmware | - |
| c-first | cfr-8eha_firmware | - |
| c-first | cfr-1004ea_firmware | - |
| c-first | md-808ha_firmware | - |
| c-first | cfr-4eaam_firmware | - |
| c-first | md-404ab_firmware | - |
| c-first | cfr-8eab_firmware | - |
| c-first | cfr-16eha_firmware | - |
| c-first | md-404hd_firmware | - |
| c-first | cfr-8eaa_firmware | - |
| c-first | cfr-4eha_firmware | - |
| c-first | cfr-8ehd_firmware | - |
| c-first | cfr-1016ea_firmware | - |
| c-first | cfr-4ehd_firmware | - |
| c-first | md-808aa_firmware | - |
| c-first | cfr-904e_firmware | - |
| c-first | md-404ha_firmware | - |
| c-first | cfr-4eaa_firmware | - |
| c-first | cfr-908e_firmware | - |
| c-first | md-808ab_firmware | - |
| c-first | md-404aa_firmware | - |
| c-first | cfr-916e_firmware | - |
| c-first | cfr-1008ea_firmware | - |
| c-first | md-808hd_firmware | - |
| c-first | cfr-4eab_firmware | - |