Posted by Brandon Perry on Nov 26

Remote Authenticated Root in Device42 DCIM Appliance Manager v5.10 and v6.0

http://www.device42.com/download/

Device42 ships virtual appliances ready for production use as a trial
(essentially dictated by the license provided).

The Appliance Manager listens on HTTP (no SSL) on port 4242 with default
credentials of d42admin:default.

Within the Appliance Manager, the Ping and Traceroute utilities are
susceptible to command injection via bash…