Version Tested:


CVE Numbers:

CVSS Score:
10.0 AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE-798: Use of Hard-coded Credentials



During a recent penetration test, CRITICALSTART‘s TEAMARES research discovered that OpsRamp Gateway has a backdoor account vadmin that allows root SSH access to the server.


Technical Details:
After installing the OpsRamp Gateway server, a script called “” runs, which sets up multiple user accounts and hardcodes their passwords by setting the pre-hashed passwords.

Our team was able to crack the hash for the vadmin, which can be used to SSH into the server with the password [email protected]. Additionally, the account has the sudo permissions ALL, allowing us to easily escalate to root with sudo -i.

We then proceeded to log into client servers in production as root proving that the hashes are not unique to the install.


10/24/2019 – Vulnerability found
01/20/2020 – Informed that the Vendor patched the finding
03/26/2020 – Ensured that clients were patched
03/26/2020 – CVE Requested
04/07/2020 – Released vulnerability disclosure

Discovered by Charles Dardaman, Senior Adversarial Engineer for TEAMARES at CRITICALSTART

Our Team:
CRITICALSTART’s TEAMARES is comprised of professionals with more than a decade of experience conducting offensive and defensive security services. Our team has expertise in a wide array of industries, including oil and gas, healthcare, app development firms, hospitality, technology, and more.

Follow us on Twitter @TeamAresSec and @CRITICALSTART to stay up to date on vulnerability discoveries and cybersecurity news.

Source link

Write a comment:

Your email address will not be published.