CVE-2020-36915
Published: 06 January 2026
Summary
CVE-2020-36915 is a high-severity Use of Hard-coded Credentials (CWE-798) vulnerability in Ibmcloud (inferred from references). Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Default Accounts (T1078.001); ranked at the 24.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and AC-2 (Account Management).
Deeper analysis
CVE-2020-36915 is a vulnerability in the Adtec Digital SignEdje Digital Signage Player version 2.08.28, stemming from multiple hardcoded default credentials that permit unauthenticated remote access to its web, telnet, and SSH interfaces. This issue affects multiple versions of Adtec Digital products and is classified under CWE-798 (Use of Hard-coded Credentials) and CWE-1392 (Use of Default Credentials). The vulnerability received a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), highlighting its high confidentiality impact due to network-accessible exploitation with low complexity.
Attackers require only network access to the affected device, with no need for authentication, privileges, or user interaction. By leveraging the hardcoded credentials, they can achieve root-level access and execute arbitrary system commands on the targeted system.
Advisories and related resources, including exploit details, are documented at https://exchange.xforce.ibmcloud.com/vulnerabilities/190628, https://packetstorm.news/files/id/159709, https://www.adtecdigital.com, https://www.exploit-db.com/exploits/48954, and https://www.vulncheck.com/advisories/adtec-digital-signedje-digital-signage-player-default-credentials. The CVE was published on 2026-01-06T16:15:47.550.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-1021
Vulnerability details
Adtec Digital SignEdje Digital Signage Player v2.08.28 contains multiple hardcoded default credentials that allow unauthenticated remote access to web, telnet, and SSH interfaces. Attackers can exploit these credentials to gain root-level access and execute system commands across multiple Adtec Digital…
more
product versions.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Hardcoded default credentials directly enable unauthenticated remote access to public-facing services (web/SSH/telnet) and root command execution.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mandates changing default authenticators prior to first use, comprehensively addressing hardcoded credentials in web, telnet, and SSH interfaces.
Requires management of system accounts including disabling unnecessary ones and protecting authenticators, mitigating exploitation of hardcoded default credentials.
Enforces secure configuration settings that eliminate default credentials across affected Adtec Digital products.