Pohl only found that out by accident, while working with a client’s network. “When I got into the device in question, I thought: ‘Hey, there’s a username and password in here,’” he recalls.
At least the credentials weren’t stored in clear text. But Pohl decompiled the Java class he guessed might have been responsible for the decryption, easily discovering an AES static key stored in the source code.
After a little bit of reverse engineering using CyberChef, “all of a sudden, out popped a clear text password. And I took that username and password that I got from the Dell Compellent software, went to the vCenter login, and I literally logged in and took over their entire environment.”
It wasn’t merely that Pohl possessed the same vCenter admin access as the Dell software, with the ability to observe, steal, or manipulate all of the data contained within. As he emphasized in a press release: “This key is the same for EVERY customer! If a criminal leverages this vulnerability, they could use it against any of Dell’s customers.”