CVE-2022-44236

Vulnerability

Beijing Zed-3 Technologies VoIP simpliclty ASG version 8.5.0.17807 (20181130-16:12) is shipped with a weak default password for the administrative account. The device is configured with the username admin and password admin [1]. No additional authentication mechanisms or complexity requirements are enforced, allowing immediate access to the web management interface.

Exploitation

An attacker with network access to the device's management interface can log in using the default credentials admin / admin [1]. No prior authentication, user interaction, or special privileges are required. The attack vector is remote and can be carried out over the network without any authentication bypass or race condition.

Impact

Successful exploitation grants the attacker full administrative control over the VoIP simpliclty ASG device. This leads to complete compromise of confidentiality, integrity, and availability: the attacker can read sensitive configuration data, modify device settings, intercept or redirect voice traffic, and potentially disrupt service [1]. The privilege level achieved is administrative — the highest level of access on the device.

Mitigation

As of the published reference [1], no vendor-supplied security update or patch is explicitly mentioned. The device version 8.5.0.17807 is affected. Users should change the default password immediately to a strong, unique password via the device's administration interface. If the device is no longer supported or reachable end-of-life, replacement or isolation from untrusted networks is recommended.