AXESS TMC makes a set of terminals that manage Time & Attendance as well as Access Control. For example the X1 and X2 perform a lot of functions in a compact unit and still offer remote management capability (Shodan search and look for “X1/X2 Configuration”).
These devices have default administrator credentials for the web and FTP interface: admin / admin
As an admin you can gain access to other passwords due to them being stored in plaintext. For the web interface they are shown on the different screens. For FTP (or HTTP browse file menu) they are available in the PARAMETERS.TXT file:
There is an XSS vulnerability in /file_manager.cgi (CVE-2013-78000) via file upload as demonstrated here:
For red teamers access to this device could allow for remote disabling of physical security features. The /biometric.cgi page lets you manipulate the biometric sensors or disable them completely if they are already enabled. It isn’t as good as popping the door locks but sure makes it easier for physical access!
The /access.cgi page can also let you manipulate access controls or disable them completely: