The web management interface of the device allows the administrator username and password to be set to blank values. Once applied, the device permits authentication with empty credentials over the web management interface and Telnet service. This effectively disables authentication across all critical management channels, allowing any network-adjacent attacker to gain full administrative control without credentials.
The vulnerability consists of the lack of enforcement of minimum password strength requirements (CWE-521 — Weak Password Requirements). An administrator can configure the device so that the username and password are empty strings. After applying such a configuration, the device accepts authentication with empty credentials both through the web interface and through the Telnet service. In practice, this completely eliminates the access control mechanism for critical management channels.
An attacker located on the network, without possessing any credentials, can obtain full administrative control over the device, including the ability to change configuration, disable security measures, and further compromise network infrastructure.
Apply patches available from the manufacturer according to the references provided. Additionally, it is recommended to immediately configure strong, non-empty administrator passwords, restrict access to the web management interface and Telnet service exclusively to trusted hosts, and consider disabling the Telnet service in favor of more secure protocols (e.g., SSH).
Versions indicated in manufacturer references (details in CISA ICS-CERT advisory: ICSA-26-050-03)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H