COMMAX CVD-Axx DVR 5.1.4 contains weak default administrative credentials that allow remote password attacks and disclose RTSP stream. Attackers can exploit this by sending a POST request with the passkey parameter set to 1234, allowing them to access the web control panel.
The product uses default credentials (such as passwords or cryptographic keys) for potentially critical functionality.