KevinLAB BEMS 1.0 Undocumented Backdoor Account  
Vendor: KevinLAB Inc.  
Product web page:  
Affected version: 4ST L-BEMS 1.0.0 (Building Energy Management System)  
Summary: KevinLab is a venture company specialized in IoT, Big Data, A.I based energy  
management platform. KevinLAB's BEMS (Building Energy Management System) enables  
efficient energy management in buildings. It improves the efficient of energy use  
by collecting and analyzing various information of energy usage and facilities in  
the building. It also manages energy usage, facility efficiency and indoor environment  
Desc: The BEMS solution has an undocumented backdoor account and these sets of  
credentials are never exposed to the end-user and cannot be changed through any  
normal operation of the solution thru the RMI. Attacker could exploit this  
vulnerability by logging in using the backdoor account with highest privileges  
for administration and gain full system control. The backdoor user cannot be  
seen in the users settings in the admin panel and it also uses an undocumented  
privilege level (admin_pk=1) which allows full availability of the features that  
the BEMS is offering remotely.  
Tested on: Linux CentOS 7  
Apache 2.4.6  
Python 2.7.5  
PHP 5.4.16  
MariaDB 5.5.68  
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic  
Advisory ID: ZSL-2021-5654  
Advisory URL:  
Backdoor accounts from the DB:  
Username: kevinlab (permission=1)  
Password: kevin003  
Username: developer1 (permission=6)  
Password: 1234