CVE-2025-26410CRITICAL 9.8EPSS p46.8%

CVE-2025-26410CVE-2025-26410

Description

The firmware of all Wattsense Bridge devices contain the same hard-coded user and root credentials. The user password can be easily recovered via password cracking attempts. The recovered credentials can be used to log into the device via the login shell that is exposed by the serial interface. The backdoor user has been removed in firmware BSP >= 6.4.1.

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS0.66% probability of exploitation · percentile 46.8% · 2026-06-21T12:00:28Z
Published2025-02-11
Last modified2026-04-15

Underlying weaknesses· 1

CWE-798

References

  1. https://r.sec-consult.com/wattsense
  2. https://support.wattsense.com/hc/en-150/articles/13366066529437-Release-Notes
  3. http://seclists.org/fulldisclosure/2025/Feb/9

1

TypeTargetConfidenceTier
WeaknessUse of Hard-coded Credentialscwe-7980%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-26411
CVE
CVE-2025-41682
CVE
CVE-2025-6260
CVE
CVE-2025-36752
CVE
CVE-2026-35075
CVE
CVE-2025-1143
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.