The GPM from WormHole Tech has an Unverified Password Change vulnerability, allowing unauthenticated remote attackers to change any users password and use the modified password to log into the system.
When setting a new password for a user, the product does not require knowledge of the original password, or using another form of authentication.