DBPower C300 Vulnerabilities: Default Credentials, Privilege Escalation, Weak Encryption

Main Findings about Vulnerabilities DBPower C300 Multiple Vulnerabilities 1. Unauthorized Access to Configuration and Privilege Escalation - The DBPower C300 contains vulnerabilities that enable unauthorized users to alter configurations and escalate privileges. Attackers can exploit these flaws to take control of the device and its associated data. 2. Default Credentials - The device ships with default login credentials such as admin:admin, which are easily guessable. Successful authentication grants access to system settings, video streams, and other sensitive data. 3. Configuration Backup Vulnerability - The system provides a simple backup feature that exposes configuration files. Once obtained, these files can be used to manipulate or reconfigure the device. 4. Privilege Escalation due to Lax Authorization - After logging in with basic credentials, the absence of proper authorization controls allows users to bypass intended access restrictions. Most settings can be modified via the Parameters tab. 5. Network Configuration Weaknesses - After login, network interfaces can be freely reconfigured. Given the device’s network accessibility, such changes can disrupt normal operations and compromise system integrity. 6. Weak Hashing and Encryption - Passwords are stored using weak hashing algorithms, and user credentials appear in plaintext within backup files. Tools such as Web Inspector can be used to extract and recover passwords. Based on these findings, it is clear that the DBPower C300 lacks robust security controls and is highly susceptible to exploitation. Prioritizing ease of development over security represents a dangerous trade-off that exposes users to significant risks.

Goal Reached Thanks to every supporter — we hit 100%!

DBPower C300 Vulnerabilities: Default Credentials, Privilege Escalation, Weak Encryption