The US CISA has added new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation
CVE-2021-44207: Acclaim Systems USAHERDS Use of Hard-Coded Credentials Vulnerability
CVE-2021-44207 with a CVSS score of 8.1 affecting Acclaim Systems USAHERDS software versions up to and including 7.4.0.1. The vulnerability arises from the use of hard-coded credentials within the software. Hard-coded credentials refer to usernames, passwords, or cryptographic keys embedded directly into the code. These credentials are usually meant for initial setup or debugging purposes but can become a significant security risk if not removed before deployment. In the case of CVE-2021-44207, attackers with knowledge of these embedded credentials can exploit the system to gain unauthorized access.
Impact: The presence of hard-coded credentials can have severe consequences:
- Unauthorized Access: Attackers can gain unauthorized entry into the system, potentially accessing sensitive data or controlling critical functions.
- Data Breaches: Unauthorized access can lead to the theft of sensitive personal and medical information, causing significant privacy concerns.
- Operational Disruption: An attacker with access to system controls can disrupt normal operations, leading to downtime or manipulation of critical processes.
- Trust and Reputation: Security breaches can damage the trust and reputation of the affected organization, leading to financial and legal repercussions.
Vendor Advisory
Acclaim Systems has issued an advisory concerning this vulnerability. They recommend that users update the latest version of the software, which addresses the hard-coded credentials issue and enhances security. Following the vendor’s guidance is crucial for ensuring the system’s integrity and security.
CISA has set January 13, 2025, as a deadline for federal agencies to remediate the vulnerability
