Cyber Posture

CVE-2025-26410

Critical

Published: 11 February 2025

Published
11 February 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0034 56.6th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may abuse Unix shell commands and scripts for execution.

Security Summary

CVE-2025-26410, published on 2025-02-11, is a critical vulnerability (CVSS 3.1 score of 9.8, vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) stemming from CWE-798: Use of Hard-coded Credentials. It affects the firmware of all Wattsense Bridge devices, where identical hard-coded user and root credentials are embedded. The user password is susceptible to easy recovery through password cracking attempts.

An attacker with access to the firmware can recover the user credentials via cracking and use them to authenticate to the device's login shell, which is exposed via the serial interface. This grants shell access, including root privileges in affected versions, enabling high-impact compromise of confidentiality, integrity, and availability.

Mitigation is available in firmware BSP version 6.4.1 and later, where the backdoor user has been removed. For further details, consult advisories including SEC Consult at https://r.sec-consult.com/wattsense, Wattsense release notes at https://support.wattsense.com/hc/en-150/articles/13366066529437-Release-Notes, and Full Disclosure at http://seclists.org/fulldisclosure/2025/Feb/9.

Details

CWE(s)
CWE-798

MITRE ATT&CK Enterprise Techniques

T1552.001 Credentials In Files Credential Access
Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.
attack.mitre.org →
T1110.002 Password Cracking Credential Access
Adversaries may use password cracking to attempt to recover usable credentials, such as plaintext passwords, when credential material such as password hashes are obtained.
attack.mitre.org →
T1078.001 Default Accounts Stealth
Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
attack.mitre.org →
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
attack.mitre.org →
Why these techniques?

Hard-coded credentials in firmware directly enable T1552.001 (credentials in files), T1110.002 (password cracking), T1078.001 (default accounts for auth), and T1059.004 (Unix shell access via serial).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References