CVE-2020-28329
Description
Barco wePresent WiPG-1600W firmware includes a hardcoded API account and password that is discoverable by inspecting the firmware image. A malicious actor could use this password to access authenticated, administrative functions in the API. Affected Version(s): 2.5.1.8, 2.5.0.25, 2.5.0.24, 2.4.1.19.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Barco wePresent WiPG-1600W firmware includes hardcoded API credentials, allowing unauthenticated administrative access to the device.
Vulnerability
Barco wePresent WiPG-1600W firmware versions 2.5.1.8, 2.5.0.25, 2.5.0.24, and 2.4.1.19 contain a hardcoded API account and password stored in clear text in /etc/lighthttp/admin and in hashed form in /etc/lighttpd/lighttpd.user. This credential pair is used to authenticate against an API service listening on TCP port 4001, which exposes administrative functions. The credentials are discoverable by anyone who can inspect the firmware image [1].
Exploitation
An attacker with network access to the affected device can connect to the API service on port 4001/tcp and authenticate using the hardcoded credentials, which are publicly documented in the firmware image. No prior authentication or user interaction is required [1].
Impact
Successful authentication grants the attacker administrative-level access to the API. This can lead to full compromise of the device, including the ability to modify device configuration, execute arbitrary commands, and potentially pivot to other network resources. The impact is a loss of confidentiality, integrity, and availability [1].
Mitigation
Barco has released firmware version 2.5.3.12 which remediates this vulnerability. Users should update to this version or later from the vendor's support site. No workarounds are documented for unpatched devices [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Barco/wePresent WiPG-1600Wdescription
- Range: 2.5.1.8, 2.5.0.25, 2.5.0.24, 2.4.1.19
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
1- korelogic.com/Resources/Advisories/KL-001-2020-004.txtmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.