Ddos 
A trio of security vulnerabilities has been discovered in Browan Communications’ PrismX MX100 AP Controller, the most severe of which essentially leaves the digital keys under the doormat. In a new vulnerability note from TWCERT/CC, researchers warn that unpatched controllers are wide open to remote attacks due to hard-coded credentials and command injection flaws.
The headline threat in this advisory is CVE-2026-1221, a vulnerability carrying a critical CVSS score of 9.8. The issue stems from a classic security bug: the use of hard-coded credentials.
According to the report, the firmware for the PrismX MX100 contains static login credentials for the system’s database. Because these credentials are “hard-coded” directly into the software, they are identical across every device running the vulnerable version. This allows an unauthenticated remote attacker to log in to the database effortlessly, bypassing standard authentication checks entirely.
Alongside the critical credential flaw, researchers identified two additional vulnerabilities that allow for OS Command Injection, enabling attackers to execute arbitrary commands on the underlying operating system.
- CVE-2026-1222 (CVSS 7.2): This high-severity flaw exists in the diagnostic function. An authenticated attacker with root privileges can inject malicious commands, effectively turning the diagnostic tool into a weapon for system takeover.
- CVE-2026-1223 (CVSS 4.9): A similar medium-severity issue was found in the network_check function, which also suffers from insufficient input validation, allowing for command injection.
While these two vulnerabilities require authentication and high-level privileges (root) to exploit, the existence of the hard-coded credential flaw (CVE-2026-1221) significantly raises the overall risk, as it could provide the initial foothold an attacker needs.
The vulnerabilities affect all PrismX MX100 AP controllers running firmware versions prior to 1.03.23.01.
Browan Communications has released a patch to address these issues. Administrators using these controllers are strongly advised to update their devices to version 1.03.23.01 or later immediately to remove the hard-coded credentials and secure the command injection points.
Related Posts:
- Western Digital ‘My Cloud’ Storage Devices exist secret hard-coded backdoor
- HPE Aruba Networking Addresses Severe Vulnerabilities in Access Points
- Ruckus Networks Issues Security Advisory for Critical RCE Vulnerability in Access Points
- Critical CVE-2025-20188 (CVSS 10) Flaw in Cisco IOS XE WLCs Allows Remote Root Access
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
