I'll leave the manufacturer unnamed for now - i reached out to some high level folks there to see if i would get a fix/response.
This was not discovered by any exotic means, I simply noticed that support staff working with me on a really odd/tier2 issue, logged into a device that I owned as root. The documentation doesn't mention that this account exists and it doesn't appear to be controlled via the web administration. I inquired about the password for said account and was denied. I've spoken to support about it indirectly in an attempt to get more information or see if it was removed via firmware and was told that it was not for customer use. I recall hearing the password entered on the phone while working with support and figured it was short enough that one day i'd find time and do some googling to figure out how to brute-force it.
What i have:
Several devices in hand and in production with various releases of firmware. obviously admin on the devices via the standard web interface.
access to some older, and current firmware in .bin format
I have spent a few minutes guessing away at passwords for the root acct which is the account in question.
I also let hydra beat up on it (bruteforcing sshd root acct) for 15 hours using one of those default wordlists that comes with a Kali install. no dice.
I know on some firmwares it is possible to gain cli access (via telnet only) but its not a true linux shell just an admin interface with a limited set of device specific commands. it appears telnetd is removed on newer firmwares and i assume users can login via ssh at that point to utilize the device specific commands.
suggestions?