CVE-2026-25715 | THREATINT

Description

The web management interface of the device allows the administrator username and password to be set to blank values. Once applied, the device permits authentication with empty credentials over the web management interface and Telnet service. This effectively disables authentication across all critical management channels, allowing any network-adjacent attacker to gain full administrative control without credentials.

PUBLISHED Reserved 2026-02-10 | Published 2026-02-20 | Updated 2026-02-20 | Assigner icscert

CRITICAL: 9.8CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Problem types

CWE-521

Product status

Default status

unaffected

Any version

affected

Credits

Abhishek Pandey of Payatu Security Consulting reported this to CISA. finder

References

www.cisa.gov/news-events/ics-advisories/icsa-26-050-03

github.com/...p/csaf_files/OT/white/2026/icsa-26-050-03.json

cve.org (CVE-2026-25715)

nvd.nist.gov (CVE-2026-25715)

Download JSON