The existence of a default admin account in the Dualog Connection Suite 2.x software should be considered a backdoor account that allows the application to be completely compromised. The installation also revealed an associated 16-byte password hash, that could be cracked.
Dualog disabled backdoor accounts for all Connection Suite versions from 2.x October 18, 2020, through a patch sent out via an over-the-air (OTA) update. The option is completely removed in Dualog Connection Suite version 3.0.0 and later. Dualog Connection Suite 3.0 was released on December 8, 2020. See Connection Suite 3.0 release notes here.
For older versions, the documentation clearly states that the Connection Suite interface on the vessel must be blocked from internet access. Dualog does regularly check for the existence of such misconfigured firewalls, and we always notify the customer if we find such cases.
This vulnerability was found by PenTestPartners (PTP) during a random security testing.