CVE-2019-25291
Hardcoded Credentials in INIM SmartLAN Devices Allow Unauthorized Access
Publication date: 2026-01-08
Last updated on: 2026-01-08
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| inim_electronics | smartlan | to 6.x (inc) |
| inim_electronics | smartliving | to 6.x (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-798 | The product contains hard-coded credentials, such as a password or cryptographic key. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability involves hard-coded credentials embedded in the Linux firmware image of INIM Electronics Smartliving SmartLAN/G/SI devices up to version 6.x. These credentials are used for Telnet, SSH, and FTP access and cannot be changed or removed through normal device operations. Because these credentials are persistent and undisclosed to end-users, attackers can exploit them to log in remotely or locally, bypassing normal authentication and gaining unauthorized access to the system. [1, 2]
How can this vulnerability impact me? :
Exploiting this vulnerability allows attackers to gain unauthorized system access to the affected SmartLiving devices. This can lead to full compromise of the control panel and security system, which are used in residential, commercial, and industrial environments for intrusion detection and home automation. Attackers can remotely control the system, potentially causing system compromise or denial of service, undermining the security and functionality of the protected premises. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to access the affected devices via Telnet, SSH, or FTP using the known hard-coded credentials embedded in the firmware. Since these credentials are hard-coded and cannot be changed, successful login attempts using default or known credentials indicate the presence of the vulnerability. Additionally, checking the device firmware version to confirm it is version 6.x or earlier can help identify vulnerable devices. Specific commands to test might include: `ssh user@device_ip`, `telnet device_ip`, or `ftp device_ip` using the hard-coded credentials if known from exploit databases or advisories. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting network access to the affected devices by isolating them from untrusted networks, disabling Telnet, SSH, and FTP services if possible, and monitoring for unauthorized access attempts. Since the hard-coded credentials cannot be changed through normal device operations, limiting remote access and applying network-level controls such as firewalls or VPNs to restrict access to trusted users is critical. Additionally, contacting the vendor for firmware updates or patches, if available, is recommended. [1, 2]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided resources do not explicitly discuss the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA. However, since the vulnerability allows unauthorized system access through hard-coded credentials, it could potentially lead to unauthorized access to sensitive data or control systems, which may negatively affect compliance with data protection and security regulations. No direct statements about compliance impact are available in the provided resources. [1, 2]