CVE-2020-28330
Description
Barco wePresent WiPG-1600W devices have Unprotected Transport of Credentials. Affected Version(s): 2.5.1.8. An attacker armed with hardcoded API credentials (retrieved by exploiting CVE-2020-28329) can issue an authenticated query to display the admin password for the main web user interface listening on port 443/tcp of a Barco wePresent WiPG-1600W device.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Hardcoded API credentials allow an attacker to retrieve the admin password in plaintext on Barco wePresent WiPG-1600W devices.
Vulnerability
An unprotected transport of credentials vulnerability exists in the Barco wePresent WiPG-1600W running firmware version 2.5.1.8. An attacker who has already obtained hardcoded API credentials (via exploiting CVE-2020-28329) can send an authenticated HTTPS request to the internal API endpoint on port 4001/tcp to retrieve the admin password for the web user interface in plaintext [1].
Exploitation
The attacker must first have access to the hardcoded credentials (e.g., through CVE-2020-28329) and network connectivity to the device. The attacker then sends a curl request with the hardcoded credentials (admin:[REDACTED]) to https://:4001/w1.0. The response contains the admin password in the SystemPassword field [1].
Impact
Successful exploitation gives the attacker the admin password for the main web UI on port 443/tcp. With admin access, the attacker can make any configuration changes to the device, potentially compromising the confidentiality, integrity, and availability of the system [1].
Mitigation
As of the advisory publication date (2020-11-20), no vendor patch or workaround had been released. Administrators should monitor Barco's security advisories for firmware updates [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Barco/wePresent WiPG-1600Wdescription
- Range: = 2.5.1.8
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
1- korelogic.com/Resources/Advisories/KL-001-2020-005.txtmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.