CVE-2024-5514

critical

Description

MinMax CMS from MinMax Digital Technology contains a hidden administrator account with a fixed password that cannot be removed or disabled from the management interface. Remote attackers who obtain this account can bypass IP access control restrictions and log in to the backend system without being recorded in the system logs.

References

https://www.twcert.org.tw/tw/cp-132-7828-c08b8-1.html

https://www.twcert.org.tw/en/cp-139-7831-b9a46-2.html

https://www.chtsecurity.com/news/6b2393f5-3041-4011-b2ea-528e312c6b3c

https://www.chtsecurity.com/news/2dde8d39-59fc-4c09-b4ad-0acf692321c5

Details

Source: Mitre, NVD

Published: 2024-05-30

Updated: 2026-04-15

Risk Information

CVSS v2

Base Score: 10

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Severity: Critical

CVSS v3

Base Score: 9.8

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Severity: Critical

EPSS

EPSS: 0.00411