CVE-2020-28334
Description
Barco wePresent WiPG-1600W devices use Hard-coded Credentials (issue 2 of 2). Affected Version(s): 2.5.1.8, 2.5.0.25, 2.5.0.24, 2.4.1.19. The Barco wePresent WiPG-1600W device has a hardcoded root password hash included in the firmware image. Exploiting CVE-2020-28329, CVE-2020-28330 and CVE-2020-28331 could potentially be used in a simple and automated exploit chain to go from unauthenticated remote attacker to root shell.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Hardcoded root password hash in Barco wePresent WiPG-1600W firmware allows SSH access if combined with other exploits.
Vulnerability
The Barco wePresent WiPG-1600W device contains a hardcoded root password hash in the /etc/shadow file of the firmware. The device does not prompt the administrator to set a new root password, so this password is the same across all devices. Affected firmware versions are 2.5.1.8, 2.5.0.25, 2.5.0.24, and 2.4.1.19 [1].
Exploitation
An attacker with network access could leverage this hardcoded credential in conjunction with other vulnerabilities (CVE-2020-28329, CVE-2020-28330, CVE-2020-28331) to form a simple and automated exploit chain, potentially escalating from an unauthenticated remote attacker to a root shell [1]. The hash itself has not been publicly cracked, but it could be at any time [1].
Impact
Successful exploitation could grant an attacker root-level access to the device via SSH, leading to full compromise of the device confidentiality, integrity, and availability [1].
Mitigation
The vendor has released an updated firmware version 2.5.3.12 that remediates this vulnerability. Firmware and release notes are available at the Barco support website [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Barco/wePresent WiPG-1600Wdescription
- Range: =2.5.1.8,=2.5.0.25,=2.5.0.24,=2.4.1.19
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
2- packetstormsecurity.com/files/160163/Barco-wePresent-Global-Hardcoded-Root-SSH-Password.htmlmitrex_refsource_MISC
- korelogic.com/Resources/Advisories/KL-001-2020-008.txtmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.