CVE-2026-25715NVD

Vulnerability Summary

The web management interface of the device allows the administrator
username and password to be set to blank values. Once applied, the
device permits authentication with empty credentials over the web
management interface and Telnet service. This effectively disables
authentication across all critical management channels, allowing any
network-adjacent attacker to gain full administrative control without
credentials.

Severity Level

CRITICAL(9.8)

Published Date

Feb 20, 2026

Last Modified

Feb 20, 2026

Exploitation Status

????

EPSS Score (30-Day)

0.09%Probability

Root Weakness (CWE)

CWE-521: Unknown/Unlisted Weakness ↗

Refer to the official MITRE database for detailed architectural specifications regarding this weakness.

CVSS v3.1 Base Metrics

Attack VectorNetwork

Attack ComplexityLow

Privileges RequiredNone

User InteractionNone

ScopeUnchanged

ConfidentialityHigh

IntegrityHigh

AvailabilityHigh

External References

https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-050-03.json
https://www.cisa.gov/news-events/ics-advisories/icsa-26-050-03

Critical Alert 1 Active Exploit Detected Today

CVE Watchtower

CVE-2026-25715NVD

Vulnerability Summary

External References