Cypress Solutions CTM-200/CTM-ONE 1.3.6 Hard-coded Credentials Remote Root

Advisories

severity: critical
date: December 31, 2025
Affecting: CTM-ONE (1.3.6-latest)
CTM-ONE (1.3.1)
CTM-ONE (1.1.9)
CTM200 (2.7.1.5659-latest)
CTM200( 2.0.5.3356-184)
CVE: CVE-2021-47744
CWE: CWE-798 Use of Hard-coded Credentials
CVSS: 9.3
CVSS V4 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
References: ExploitDB-50407
Cypress Solutions Official Homepage
Zero Science Lab Disclosure (ZSL-2021-5686)
Credit: LiquidWorm as Gjoko Krstic of Zero Science Lab
Description: Cypress Solutions CTM-200/CTM-ONE 1.3.6 contains hard-coded credentials vulnerability in Linux distribution that exposes root access. Attackers can exploit the static 'Chameleon' password to gain remote root access via Telnet or SSH on affected devices.