The DMP-5000 devices are shipped with a default administrative web account with weak authentication controls, which are not required to be changed during initial configuration or operation. Using these accounts provides full system access.
Credits
Thomas Jou of Princeton University reported this vulnerability to CISA.
