CVE-2020-16259
Winston 1.5.4 devices have an SSH user account with access from bastion hosts. This is undocumented in device documents and is not announced to the user.
Date published : 2020-10-28
https://labs.bishopfox.com/advisories/winston-privacy-version-1.5.4