FaceSentry Access Control System 6.4.8 Remote SSH Root Access

Advisories

severity: critical
date: December 24, 2025
Affecting: FaceSentry Access Control System 6.4.8 build 264, 5.7.2 build 568, 5.7.0 build 539
CVE: CVE-2019-25241
CWE: CWE-798 Use of Hard-coded Credentials
CVSS: 9.3
CVSS V4 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
References: ExploitDB-47067
Vendor Product Homepage
Zero Science Lab Disclosure (ZSL-2019-5526)
Credit: LiquidWorm as Gjoko Krstic of Zero Science Lab
Description: FaceSentry Access Control System 6.4.8 contains a critical authentication vulnerability with hard-coded SSH credentials for the wwwuser account. Attackers can leverage the insecure sudoers configuration to escalate privileges and gain root access by executing sudo commands without authentication.