CVE-2015-8362
Description
Multiple Harman AMX multimedia devices contain a hardcoded 'BlackWidow' debug backdoor account with administrative access via SSH or HTTP.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Multiple Harman AMX multimedia devices contain a hardcoded 'BlackWidow' debug backdoor account with administrative access via SSH or HTTP.
Vulnerability
The setUpSubtleUserAccount function in /bin/bw on Harman AMX devices before 2015-10-12 contains a hardcoded password for the BlackWidow account [1][2][3]. This backdoor account, intended for debugging, was left in released firmware versions. Affected products include the NX-1200, NX-2200, NX-3200, NX-4200 (versions prior to 1.4.65); Massio ControlPads MCP-10x (prior to 1.4.65); Enova DVX-x2xx (prior to 1.4.65); DVX-31xxHD-SP / DVX-21xxHD-SP (prior to 4.8.331); DVX-2100HD-SP-T Master (prior to 4.1.420); Enova DGX masters (prior to 1.4.72 or 4.2.397 depending on model); NI-700/900 (prior to 4.1.419 or 3.60.456); NI-2100/3100/4100 series (prior to 4.1.419); and many others as listed in ICS-CERT advisory [2][3].
Exploitation
An unauthenticated remote attacker can connect to the device over SSH (port 22) or HTTP (port 80/443) and log in using the hardcoded credentials for the BlackWidow account [1][2]. No additional authentication, user interaction, or special privileges are required. The exploit vector is purely network-based, making it trivial to execute. Public exploit code is known to be available [2].
Impact
Successful login grants the attacker full administrative privileges over the affected AMX multimedia device [1][2][3]. This leads to a complete compromise of confidentiality (access to device configurations and AV streams), integrity (ability to modify settings or deploy malicious firmware), and availability (potential to disable the device). The attacker can also pivot to other network resources through the compromised device.
Mitigation
AMX has released hotfix firmware versions and updated releases to remove the hardcoded backdoor account. Patched versions include 1.4.65 for NX-series controllers and many models, 4.8.331 for DVX-31xx/21xxHD, 4.1.420 for DVX-2100HD-SP-T Master, 1.4.72 for Enova DGX NX masters, 4.2.397 for Enova DGX NI masters, 4.1.419 for NI-2100/3100/4100 series and NI-700/900, and 3.60.456 for NI-700/900 (32 MB RAM) [2]. Administrators should update affected devices to the specified firmware versions immediately. If patching is not possible, network access to SSH and HTTP services on AMX devices should be restricted using firewalls or VLAN segmentation [1].
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2cpe:2.3:o:harman:amx_firmware:1.2.322:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:o:harman:amx_firmware:1.2.322:*:*:*:*:*:*:*
- cpe:2.3:o:harman:amx_firmware:1.3.100:*:*:*:*:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
9- blog.sec-consult.com/2016/01/deliberately-hidden-backdoor-account-in.htmlnvdExploit
- seclists.org/fulldisclosure/2016/Jan/63nvdExploit
- www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20160121-0_AMX_Deliberately_hidden_backdoor_account_v10.txtnvdExploit
- www.kb.cert.org/vuls/id/992624nvdUS Government Resource
- www.amx.com/techcenter/NXSecurityBrief/nvd
- www.amx.com/techcenter/firmware.aspnvd
- www.securityfocus.com/archive/1/537343/100/0/threadednvd
- www.securityfocus.com/bid/81545nvd
- ics-cert.us-cert.gov/advisories/ICSA-16-049-02nvd
News mentions
0No linked articles in our index yet.