Dell KACE K2000 Systems Deployment Appliance installs with default user credentials. The 'kbox1248163264128256' account has a password of 'kbox1248163264128256', which is publicly known and documented. This allows remote attackers to trivially gain privileged access to the web interface which controls the device.
Additional details:
Looking at the KUser.class.php
source, it appears this is a vendor backdoor:
9 class KUser {
10 private static $__admin_username = 'admin';
11 private static $__backdoor_username = 'kbox1248163264128256';
While the 'admin' account is documented, the 'kbox1248163264128256' account is not. This account is not visible via the web interface:
119 public static function ListAll($orderByClause = null, $limitClause = null,
120 &$dbTotalCount = null, $search = null,
121 $label = null, $permission = null)
122 {
...
135 $dbTotalCount = $db->GetOne(sprintf("select count(distinct USER.ID)
136 from USER left join USER_LABEL_JT
137 on USER.ID = USER_LABEL_JT.USER_ID
138 where USER_NAME != '%s'
139 %s",
140 self::$__backdoor_username,
141 $restrict));
142
143 $rows = $db->Execute(sprintf("select *
144 from USER left join USER_LABEL_JT
145 on USER.ID = USER_LABEL_JT.USER_ID
146 where USER_NAME != '%s'
147 %s
148 group by USER.ID
149 %s %s",
150 self::$__backdoor_username,
151 $restrict,
152 $orderByClause,
153 $limitClause));
Additionally, it cannot be removed via the web interface:
90 public static function Delete($id) {
91 $db = dbConnect();
92 // don't allow the admin users to be deleted
93 $rset = $db->Execute(sprintf("select ID, FULL_NAME from USER
94 where ID = %s
95 and USER_NAME != %s
96 and USER_NAME != %s",
97 esc_sql($id),
98 esc_sql(self::$__admin_username),
99 esc_sql(self::$__backdoor_username)));
A remote attacker could exploit this to modify existing deployment/recovery images, gain sensitive information, or mount further attacks (e.g. remote code execution via the associated vulnerabilities).