Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.8
Device allows empty admin username and password
CVE-2026-25715
Summary
A security issue in the device's web management interface allows an attacker on the same network to access and control the device without a password. This is a significant risk, as it allows unauthorized access to the device's settings and functions. To mitigate this, ensure that the admin username and password are set to non-empty values and consider changing the default credentials.
Original title
The web management interface of the device allows the administrator
username and password to be set to blank values. Once applied, the
device permits authentication with empty credentials over th...
Original description
The web management interface of the device allows the administrator
username and password to be set to blank values. Once applied, the
device permits authentication with empty credentials over the web
management interface and Telnet service. This effectively disables
authentication across all critical management channels, allowing any
network-adjacent attacker to gain full administrative control without
credentials.
username and password to be set to blank values. Once applied, the
device permits authentication with empty credentials over the web
management interface and Telnet service. This effectively disables
authentication across all critical management channels, allowing any
network-adjacent attacker to gain full administrative control without
credentials.
nvd CVSS3.1
9.8
Vulnerability type
CWE-521
Published: 20 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026