Source
Zero Science Lab
The BAS controller is vulnerable to weak access control mechanism allowing any user to escalate privileges by disclosing credentials of administrative accounts in plain-text.
The BAS controller is vulnerable to hard-coded credentials within its Linux distribution image. These sets of credentials are never exposed to the end-user and cannot be changed through any normal operation of the device.
The BAS controller has hidden backdoors in several binaries that serve the web application. Any unauthenticated attacker can download all the resources and binaries/services that serve the controller and search for the 'backdoor()' function in httpser.elf as well as discover hidden credentials for backdoor access with full functionality of the Smart Home, Access Control and Building Automation System solutions.
The BAS controller suffers from an authentication bypass vulnerability. An unauthenticated attacker through cookie poisoning can bypass authentication and disclose sensitive information and circumvent physical access controls in smart homes and buildings and manipulate HVAC.
The BAS controller is vulnerable to configuration disclosure when direct object reference is made to the syspara.dat or images.dat files using an HTTP GET request. This will enable the attacker to disclose sensitive information and help her in authentication bypass, privilege escalation and full system access.
The Building Automation System / SmartHome allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. These actions can be exploited to perform any CRUD operation like user creation, alarm shutdown and account password change with administrative privileges if a logged-in user visits a malicious web site.