CVE-2025-11126

Critical

Published: 29 September 2025

Published

29 September 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0017 38.0th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-11126 is a critical-severity Use of Hard-coded Password (CWE-259) vulnerability. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Valid Accounts (T1078); ranked at the 38.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SC-7 (Boundary Protection).

Threat & Defense at a Glance

What attackers do: exploitation maps to Valid Accounts (T1078) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

preventrecover

Directly requires identification, reporting, and correction of critical flaws like hard-coded credentials in /system/www/system.ini to prevent remote exploitation.

IA-5 Authenticator Management good match

prevent

Mandates management of authenticators to prohibit hard-coded credentials and default passwords, directly countering CWE-259 and CWE-798 in the affected component.

SC-7 Boundary Protection good match

prevent

Enforces boundary protection to monitor and control remote communications, blocking unauthenticated access to the vulnerable system.ini file over the network.

MITRE ATT&CK Enterprise TechniquesAI

T1078 Valid Accounts Stealth

Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.

attack.mitre.org →

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Hard-coded credentials directly enable use of valid accounts (T1078) for remote unauthenticated access to a public-facing device interface, matching T1190 exploitation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

A security flaw has been discovered in Apeman ID71 218.53.203.117. This vulnerability affects unknown code of the file /system/www/system.ini. The manipulation results in hard-coded credentials. The attack may be performed from remote. The exploit has been released to the public…

and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way.

Deeper analysisAI

CVE-2025-11126 is a critical vulnerability involving hard-coded credentials in unknown code within the file /system/www/system.ini of Apeman ID71 218.53.203.117. Published on 2025-09-29, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-259 (Use of Hard-coded Password) and CWE-798 (Use of Hard-coded Credentials).

The vulnerability enables remote exploitation without authentication or user interaction. Attackers can manipulate the affected component to leverage the hard-coded credentials, achieving high impacts on confidentiality, integrity, and availability, such as unauthorized access, data exfiltration, or system compromise.

VulDB advisories (https://vuldb.com/?ctiid.326209, https://vuldb.com/?id.326209, https://vuldb.com/?submit.654168) confirm that a public exploit has been released and the flaw may already be under active exploitation. The vendor was notified early but provided no response, and no patches or specific mitigations are detailed.

An exploit is publicly available, increasing the urgency for practitioners to isolate or decommission affected Apeman ID71 instances pending vendor action.