Download our Latest Industry Report – Continuous Offensive Security Outlook 2026

Download Report
Back to Vulnerability List

Fujitsu: Fujitsu “IP series” Real-Time Video Transmission Gear: Hard-Coded Credentials

CVE-2023-38433 Critical Published
CVSS
7.5 High · Network · No PR
EPSS
0.53203 53.2% chance of exploit in 30d
CWE
CWE-798 Use of Hard-coded Credentials
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Summary

Per JVN#95727578: “Real-time Video Transmission Gear ‘IP series’ provided by Fujitsu Limited uses a hard-coded credentials (CWE-798). The product’s credentials for factory testing may be obtained by reverse engineering and others.” Per Praetorian’s blog: “All Fujitsu IP series devices running firmware released prior to July 26, 2023 contain hard-coded backdoor credentials that cannot be changed by the end user.”

Affected Packages / Versions

  • Package: Fujitsu IP-HE950E / IP-HE950D / IP-HE900E / IP-HE900D / IP-900E / IP-920E / IP-900D / IP-920D / IP-90 / IP-9610 (—)
  • Latest published version at triage time: V01L053 / V02L061 / V02L007 across the affected models
  • Affected range: Per JVN#95727578: IP-HE950E V01L001–V01L053; IP-HE950D V01L001–V01L053; IP-HE900E V01L001–V01L010; IP-HE900D V01L001–V01L004; IP-900E/IP-920E V01L001–V02L061; IP-900D/IP-920D V01L001–V02L061; IP-90 V01L001–V01L013; IP-9610 V01L001–V02L007.
  • Patched version: Fujitsu firmware update released July 26, 2023 (per JVN#95727578)

Impact

Per JVN: “An attacker who log in to the web interface using the obtained credentials may initialize or reboot the products, and as a result, terminate the video transmission.” Per Praetorian’s blog: “These hardcoded credentials provide administrative access to the devices, which an attacker can use to upload files and firmware updates… A skilled attacker could leverage these vulnerabilities to obtain persistence on the devices.”

Severity Rationale

Score discrepancy: JVN scores CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N (5.9 Medium). NVD scores 7.5 (High). Reviewer should reconcile before publication. CISA also released ICSA-23-248-01 for this issue.

Fix

Per JVN: “Update the firmware to the latest version according to the information provided by the developer.” Workaround: “Place the products on a secure network.”

Disclosure timeline

  • May 30, 2023Reported to Fujitsu (per Praetorian's blog: "Tuesday, May 30, 2023")
  • Jul 26, 2023Patch released (per JVN#95727578 Last Updated and Praetorian's blog)
  • Jul 26, 2023Public disclosure (per JVN#95727578 Published)

Fix Commit(s)

    References

    Discovered by Praetorian Labs · Published April 29, 2026