Cyber Resilience

CVE-2020-36915

HighPublic PoC

Published: 06 January 2026

Published
06 January 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0033 24.7th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2020-36915 is a high-severity Use of Hard-coded Credentials (CWE-798) vulnerability in Ibmcloud (inferred from references). Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Default Accounts (T1078.001); ranked at the 24.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and AC-2 (Account Management).

Deeper analysis

CVE-2020-36915 is a vulnerability in the Adtec Digital SignEdje Digital Signage Player version 2.08.28, stemming from multiple hardcoded default credentials that permit unauthenticated remote access to its web, telnet, and SSH interfaces. This issue affects multiple versions of Adtec Digital products and is classified under CWE-798 (Use of Hard-coded Credentials) and CWE-1392 (Use of Default Credentials). The vulnerability received a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), highlighting its high confidentiality impact due to network-accessible exploitation with low complexity.

Attackers require only network access to the affected device, with no need for authentication, privileges, or user interaction. By leveraging the hardcoded credentials, they can achieve root-level access and execute arbitrary system commands on the targeted system.

Advisories and related resources, including exploit details, are documented at https://exchange.xforce.ibmcloud.com/vulnerabilities/190628, https://packetstorm.news/files/id/159709, https://www.adtecdigital.com, https://www.exploit-db.com/exploits/48954, and https://www.vulncheck.com/advisories/adtec-digital-signedje-digital-signage-player-default-credentials. The CVE was published on 2026-01-06T16:15:47.550.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Adtec Digital SignEdje Digital Signage Player v2.08.28 contains multiple hardcoded default credentials that allow unauthenticated remote access to web, telnet, and SSH interfaces. Attackers can exploit these credentials to gain root-level access and execute system commands across multiple Adtec Digital…

more

product versions.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1078.001 Default Accounts Stealth
Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
T1133 External Remote Services Persistence
Adversaries may leverage external-facing remote services to initially access and/or persist within a network.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1021.004 SSH Lateral Movement
Adversaries may use [Valid Accounts](https://attack.
Why these techniques?

Hardcoded default credentials directly enable unauthenticated remote access to public-facing services (web/SSH/telnet) and root command execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-35452Shared CWE-1392, CWE-798
CVE-2026-45039Shared CWE-1392, CWE-798
CVE-2018-25138Shared CWE-798
CVE-2026-27507Shared CWE-798
CVE-2025-35451Shared CWE-798
CVE-2023-27573Shared CWE-1392, CWE-798
CVE-2019-25241Shared CWE-798
CVE-2026-28255Shared CWE-798
CVE-2026-25202Shared CWE-798
CVE-2024-8893Shared CWE-798

Affected Assets

Ibmcloud
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mandates changing default authenticators prior to first use, comprehensively addressing hardcoded credentials in web, telnet, and SSH interfaces.

prevent

Requires management of system accounts including disabling unnecessary ones and protecting authenticators, mitigating exploitation of hardcoded default credentials.

prevent

Enforces secure configuration settings that eliminate default credentials across affected Adtec Digital products.

References