CVE-2020-16259

Winston 1.5.4 devices have an SSH user account with access from bastion hosts. This is undocumented in device documents and is not announced to the user.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 59%
VendorProductVersion
winstonprivacywinston_firmware
1.5.4
𝑥
= Vulnerable software versions
References
https://labs.bishopfox.com/advisories/winston-privacy-version-1.5.4
https://winstonprivacy.com/
https://labs.bishopfox.com/advisories/winston-privacy-version-1.5.4
https://winstonprivacy.com/