CVE-2021-47744
Unknown Unknown - Not Provided
Hard-Coded Credentials in Cypress CTM Devices Allow Root Access

Publication date: 2025-12-31

Last updated on: 2025-12-31

Assigner: VulnCheck

Description
Cypress Solutions CTM-200/CTM-ONE 1.3.6 contains hard-coded credentials vulnerability in Linux distribution that exposes root access. Attackers can exploit the static 'Chameleon' password to gain remote root access via Telnet or SSH on affected devices.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-31
Last Modified
2025-12-31
Generated
2026-06-16
AI Q&A
2026-01-01
EPSS Evaluated
2026-06-15
NVD
CVE-2021-47744
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
busybox busybox 1.24.1
lighttpd lighttpd 1.4.39
cypress_solutions ctm-one *
busybox busybox 1.15.3
cypress_solutions ctm-200 *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-798 The product contains hard-coded credentials, such as a password or cryptographic key.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided resources do not explicitly discuss the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA. However, since the vulnerability allows unauthorized remote root access to devices used in industrial and operational environments, it could potentially lead to unauthorized access to sensitive data or disruption of critical systems, which may affect compliance with data protection and security regulations. No direct statements or analyses regarding compliance impact are available in the provided resources. [1, 3, 4]

Executive Summary

CVE-2021-47744 is a vulnerability in Cypress Solutions CTM-200 and CTM-ONE industrial cellular wireless gateways. These devices contain hard-coded credentials, specifically a static password named 'Chameleon', embedded in their Linux distribution. This flaw allows attackers to remotely gain root access via Telnet or SSH without needing any authentication, enabling them to execute arbitrary commands with full administrative privileges on the affected devices. [1, 3, 4]

Impact Analysis

This vulnerability can have severe impacts as it allows unauthorized remote attackers to gain root-level access to affected devices. With this access, attackers can execute arbitrary commands, potentially compromising sensitive resources, disrupting operations, and causing denial of service. Since these devices are used in industrial applications such as mobile fleet tracking and SCADA communications, exploitation could lead to significant operational disruptions and security breaches. [1, 3, 4]

Detection Guidance

This vulnerability can be detected by checking for the presence of the hard-coded credentials, specifically the username 'root' or 'admin' with the password 'Chameleon' on affected Cypress Solutions CTM-200 and CTM-ONE devices. You can attempt to connect via SSH or Telnet using these credentials to verify if the device is vulnerable. Additionally, inspecting system files such as /var/config/passwd and /etc/shadow for fixed password hashes corresponding to 'Chameleon' can help identify the issue. A proof-of-concept Python3 exploit script (cypress_ssh.py) using Paramiko SSH library is available to test remote access with these credentials. [1, 3]

Mitigation Strategies

Immediate mitigation steps include disabling Telnet and SSH services if not required, changing the hard-coded 'Chameleon' password if possible, or replacing affected devices with updated firmware versions that do not contain hard-coded credentials. If firmware updates are not available, isolating the devices from untrusted networks and restricting access to trusted administrators can reduce risk. Monitoring network traffic for unauthorized SSH or Telnet login attempts using the known credentials is also recommended. [1, 3, 4]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2021-47744. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart