It's possible to login with known username without password. Fixed with Service Pack 2.
vulners.com/securityvulns/securityvulns:doc:11847