The Mennekes Amtron series (firmware versions ≤ 5.22.3) contains an authentication bypass vulnerability (CWE-287) that permits an unauthenticated remote attacker to change user account passwords via a crafted POST request to the /operator/operator endpoint. This flaw effectively allows attackers to gain unauthorized control over user accounts without needing valid credentials. The vulnerability is publicly documented with a CVSS 4.0 score of 9.3 (critical severity). There is no vendor advisory or patch available at this time, and the product is not a cloud service, so remediation depends on vendor action or other mitigations.

An unauthenticated remote attacker can change user account passwords, leading to unauthorized access and potential full control over affected Mennekes Amtron devices. This compromises device integrity and security, potentially allowing attackers to manipulate device functions or data. The critical CVSS score reflects the high likelihood and impact of exploitation.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict network access to the affected devices, especially blocking access to the /operator/operator endpoint from untrusted networks. Monitor for unusual activity related to authentication or password changes. Avoid exposing these devices directly to the internet.