Swissphone DiCal-RED 4009 devices allow a remote attacker to gain access to the administrative web interface via the device passwords hash value, without knowing the actual device password.
The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.