CVE-2026-25715CRITICAL 9.8EPSS p42.6%

CVE-2026-25715CVE-2026-25715

Description

The web management interface of the device allows the administrator username and password to be set to blank values. Once applied, the device permits authentication with empty credentials over the web management interface and Telnet service. This effectively disables authentication across all critical management channels, allowing any network-adjacent attacker to gain full administrative control without credentials.

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS0.57% probability of exploitation · percentile 42.6% · 2026-06-18T12:00:27Z
Published2026-02-20
Last modified2026-04-15

Underlying weaknesses· 1

CWE-521

References

  1. https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-050-03.json
  2. https://www.cisa.gov/news-events/ics-advisories/icsa-26-050-03

1

TypeTargetConfidenceTier
WeaknessWeak Password Requirementscwe-5210%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-22910
CVE
CVE-2025-41651
CVE
CVE-2026-35075
CVE
CVE-2026-24789
CVE
CVE-2025-3719
CVE
CVE-2025-41719
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.