CRITICAL🇵🇱 Wersja polska

CVE-2026-25715

CVSS 9.8v3.1pub. 2026-02-20upd. 2026-04-15

The web management interface of the device allows the administrator username and password to be set to blank values. Once applied, the device permits authentication with empty credentials over the web management interface and Telnet service. This effectively disables authentication across all critical management channels, allowing any network-adjacent attacker to gain full administrative control without credentials.

🤖 AI Analysis
How it works

The vulnerability consists of the lack of enforcement of minimum password strength requirements (CWE-521 — Weak Password Requirements). An administrator can configure the device so that the username and password are empty strings. After applying such a configuration, the device accepts authentication with empty credentials both through the web interface and through the Telnet service. In practice, this completely eliminates the access control mechanism for critical management channels.

Impact

An attacker located on the network, without possessing any credentials, can obtain full administrative control over the device, including the ability to change configuration, disable security measures, and further compromise network infrastructure.

Mitigation & patch

Apply patches available from the manufacturer according to the references provided. Additionally, it is recommended to immediately configure strong, non-empty administrator passwords, restrict access to the web management interface and Telnet service exclusively to trusted hosts, and consider disabling the Telnet service in favor of more secure protocols (e.g., SSH).

Who is affected

Versions indicated in manufacturer references (details in CISA ICS-CERT advisory: ICSA-26-050-03)

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References