Cyber Posture

CVE-2026-25715

Critical

Published: 20 February 2026

Published
20 February 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0010 27.9th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

The web management interface of the device allows the administrator username and password to be set to blank values. Once applied, the device permits authentication with empty credentials over the web management interface and Telnet service. This effectively disables authentication…

more

across all critical management channels, allowing any network-adjacent attacker to gain full administrative control without credentials.

Mitigating Controls (NIST 800-53 r5)AI

AC-14 Permitted Actions Without Identification or Authentication good match
prevent

Directly prohibits administrative access to management interfaces without identification or authentication, addressing the core issue of empty credential acceptance.

IA-5 Authenticator Management good match
prevent

Requires establishment of authenticator content with minimum strength and management procedures that prevent blank or weak passwords from being set or accepted.

IA-2 Identification and Authentication (Organizational Users) good match
prevent

Mandates unique identification and authentication for organizational users accessing the management interfaces, preventing unauthenticated administrative control.

Security SummaryAI

CVE-2026-25715, published on 2026-02-20, is a critical vulnerability in the web management interface of the device, assigned CVSS score 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and mapped to CWE-521. The issue allows the administrator username and password to be set to blank values. Once applied, the device accepts authentication with empty credentials over both the web management interface and Telnet service, effectively disabling authentication for all critical management channels.

A network-adjacent attacker can exploit this vulnerability without privileges or user interaction by simply attempting to authenticate using empty credentials. Successful exploitation grants full administrative control of the device, enabling high-impact confidentiality, integrity, and availability violations.

Mitigation guidance is provided in CISA ICS Advisory ICSA-26-050-03, available at https://www.cisa.gov/news-events/ics-advisories/icsa-26-050-03 and the corresponding CSAF JSON file at https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-050-03.json.

Details

CWE(s)
CWE-521

MITRE ATT&CK Enterprise TechniquesAI

T1078.001 Default Accounts Stealth
Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
attack.mitre.org →
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

Vulnerability enables authentication bypass using empty/default credentials (T1078.001) on public-facing web management interface and Telnet (T1190).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References