CVE-2025-26326
Published: 28 February 2025
Description
Adversaries may leverage external-facing remote services to initially access and/or persist within a network.
Security Summary
CVE-2025-26326, published on 2025-02-28, is a vulnerability in the NVDA Remote version 2.6.4 and Tele NVDA Remote version 2025.3.3 remote connection add-ons. These add-ons lack additional authentication or computer verification mechanisms beyond a password, allowing attackers to gain total control of the remote system by guessing weak passwords (CWE-287: Improper Authentication). The issue arises because the add-ons accept any entered password without further checks. It carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
A remote attacker can exploit this vulnerability by guessing the password through brute force or trial-and-error methods, which is feasible given that tests identified over 1,000 systems using easy-to-guess passwords, many with fewer than 4 to 6 characters or common sequences. Successful exploitation provides the attacker with complete access to the affected system, enabling command execution, file modification, and full compromise of user security.
Advisories, patches, and related details are available in the referenced repositories and sites: https://github.com/NVDARemote/NVDARemote, https://github.com/azurejoga/CVE-2025-26326, https://github.com/nvda-es/TeleNVDA, https://nvda-addons.org/addon.php?id=270, and https://nvdaremote.com/.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability's lack of authentication beyond a weak password directly enables brute force/trial-and-error password guessing (T1110.001) to exploit the exposed remote connection add-on (T1133 External Remote Services) for full system control and command execution.