CVE-2016-1984
Description
A hardcoded password for the 1MB@tMaN account in /bin/bw on Harman AMX devices allows remote attackers to gain unauthorized access via SSH or HTTP.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A hardcoded password for the 1MB@tMaN account in /bin/bw on Harman AMX devices allows remote attackers to gain unauthorized access via SSH or HTTP.
Vulnerability
The setUpSubtleUserAccount function in /bin/bw on Harman AMX devices contains a hardcoded password (1MB@tMaN) for a hidden backdoor account. This account has administrative privileges. Affected versions include those before 2016-01-20, with specific firmware versions such as v1.2.322 and v1.3.100 for the NX-1200, and many other models (e.g., NetLinx controllers, Enova switchers, Massio ControlPads) as listed in ICS-CERT advisory [2] and CERT/CC note [3].
Exploitation
An attacker can exploit this vulnerability remotely without authentication by connecting via SSH or HTTP to the device and logging in with the hardcoded credentials (1MB@tMaN). No special network position or user interaction is required, as the account is intentionally hidden but fully functional [1][4].
Impact
Successful exploitation grants the attacker full administrative access to the device. This can lead to complete compromise of confidentiality, integrity, and availability, including the ability to modify device configuration, intercept or disrupt AV control systems, and potentially pivot to other network resources [2][3].
Mitigation
AMX has released firmware updates to address the vulnerability. For NX-1200 and other affected models, fixed versions include v1.4.65 (for some products) and hotfixes for others. Users should upgrade to the latest firmware available from AMX. If patching is not immediately possible, limiting network access to the device via firewall rules and disabling unused services (SSH/HTTP) can reduce exposure [2][3].
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3cpe:2.3:o:harman:amx_firmware:1.2.322:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:o:harman:amx_firmware:1.2.322:*:*:*:*:*:*:*
- cpe:2.3:o:harman:amx_firmware:1.3.100:*:*:*:*:*:*:*
- Range: <2016-01-20
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Hardcoded administrative credentials in the setUpSubtleUserAccount function of /bin/bw, with the account deliberately hidden from user-listing functions."
Attack vector
An attacker can remotely log in to the web interface or SSH service using the hardcoded backdoor credentials [ref_id=1]. The account username was originally "BlackWidow" and was later changed to "1MB@tMaN" in an incomplete patch [ref_id=1]. No authentication or prior access is required, making this a network-based attack with low complexity [ref_id=1].
Affected code
The function `setUpSubtleUserAccount` in the binary `/bin/bw` on AMX devices adds a hardcoded administrative account to the internal user database [ref_id=1]. The binary is the core application providing user management and core functionality for devices such as the AMX NX-1200 [ref_id=1].
What the fix does
AMX released a hotfix on 2016-01-15 and firmware updates (e.g., NX Series Master v.1.4.65) to address the backdoor [ref_id=1]. SEC Consult did not test the hotfix and could not confirm whether the backdoor was properly removed [ref_id=1]. The advisory recommends immediately applying the hotfix for the corresponding device, with no workaround available [ref_id=1].
Preconditions
- networkThe attacker must have network access to the affected AMX device's SSH or HTTP service.
- authNo authentication or prior access is required.
Reproduction
1. Identify an affected AMX device (e.g., NX-1200) on the network. 2. Connect to the device's web interface or SSH service. 3. Log in using the hardcoded backdoor credentials: username "BlackWidow" (or "1MB@tMaN" on partially patched devices) with the corresponding hardcoded password (removed from the public advisory by the researcher) [ref_id=1]. 4. Upon successful login, the attacker gains administrative access with additional privileges, such as the ability to capture network packets [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- www.amx.com/techcenter/NXSecurityBrief/nvdPatch
- www.amx.com/techcenter/firmware.aspnvdPatch
- blog.sec-consult.com/2016/01/deliberately-hidden-backdoor-account-in.htmlnvdExploit
- seclists.org/fulldisclosure/2016/Jan/63nvdExploit
- www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20160121-0_AMX_Deliberately_hidden_backdoor_account_v10.txtnvdExploit
- www.kb.cert.org/vuls/id/992624nvdUS Government Resource
- ics-cert.us-cert.gov/advisories/ICSA-16-049-02nvd
News mentions
0No linked articles in our index yet.