KevinLAB BEMS 1.0 Undocumented Backdoor Account

CVE Category Price Severity
N/A CWE-16: Configuration Not specified High
Author Risk Exploitation Type Date
Not specified High Remote 2021-07-21
CVSS:4.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 0.02192 0.50148

CVSS vector description

Our sensors found this exploit at:

Below is a copy:

KevinLAB BEMS 1.0 Undocumented Backdoor Account
KevinLAB BEMS 1.0 Undocumented Backdoor Account

Vendor: KevinLAB Inc.
Product web page:
Affected version: 4ST L-BEMS 1.0.0 (Building Energy Management System)

Summary: KevinLab is a venture company specialized in IoT, Big Data, A.I based energy
management platform. KevinLAB's BEMS (Building Energy Management System) enables
efficient energy management in buildings. It improves the efficient of energy use
by collecting and analyzing various information of energy usage and facilities in
the building. It also manages energy usage, facility efficiency and indoor environment

Desc: The BEMS solution has an undocumented backdoor account and these sets of
credentials are never exposed to the end-user and cannot be changed through any
normal operation of the solution thru the RMI. Attacker could exploit this
vulnerability by logging in using the backdoor account with highest privileges
for administration and gain full system control. The backdoor user cannot be
seen in the users settings in the admin panel and it also uses an undocumented
privilege level (admin_pk=1) which allows full availability of the features that
the BEMS is offering remotely.

Tested on: Linux CentOS 7
           Apache 2.4.6
           Python 2.7.5
           PHP 5.4.16
           MariaDB 5.5.68

Vulnerability discovered by Gjoko 'LiquidWorm' Krstic

Advisory ID: ZSL-2021-5654
Advisory URL:



Backdoor accounts from the DB:

Username: kevinlab (permission=1)
Password: kevin003

Username: developer1 (permission=6)
Password: 1234

Copyright ©2024 Exploitalert.

This information is provided for TESTING and LEGAL RESEARCH purposes only.
All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum