Cyber Resilience

CVE-2025-26326

High

Published: 28 February 2025

Published
28 February 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0341 87.7th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-26326 is a high-severity Improper Authentication (CWE-287) vulnerability in Nvda Addons (inferred from references). Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Password Guessing (T1110.001); ranked in the top 12.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-17 (Remote Access) and AC-7 (Unsuccessful Logon Attempts).

Deeper analysis

The vulnerability CVE-2025-26326 affects the NVDA Remote version 2.6.4 and Tele NVDA Remote version 2025.3.3 remote connection add-ons. It arises because these add-ons accept any password entered by the user and lack additional authentication or computer verification mechanisms, allowing brute-force or trial-and-error guessing of weak passwords that many users have configured.

A remote attacker who knows or can guess the password can exploit the flaw to obtain complete control of the target system. This enables arbitrary command execution, file modification, and full compromise of the remote host. More than 1,000 systems have been observed using easily guessable passwords of four to six characters or common sequences.

The listed references consist of the upstream GitHub repositories for the affected add-ons, a proof-of-concept repository, and the NVDA add-on distribution sites; no specific mitigation guidance or patch details are provided in the available information. The EPSS score remains low at a current value of 0.0341 with a peak of 0.0364.

EU & UK References

Vulnerability details

A vulnerability was identified in the NVDA Remote (version 2.6.4) and Tele NVDA Remote (version 2025.3.3) remote connection add-ons, which allows an attacker to obtain total control of the remote system by guessing a weak password. The problem occurs because…

more

these add-ons accept any password entered by the user and do not have an additional authentication or computer verification mechanism. Tests indicate that more than 1,000 systems use easy-to-guess passwords, many with less than 4 to 6 characters, including common sequences. This allows brute force attacks or trial-and-error attempts by malicious invaders. The vulnerability can be exploited by a remote attacker who knows or can guess the password used in the connection. As a result, the attacker gains complete access to the affected system and can execute commands, modify files, and compromise user security.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1110.001 Password Guessing Credential Access
Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts.
T1133 External Remote Services Persistence
Adversaries may leverage external-facing remote services to initially access and/or persist within a network.
Why these techniques?

The vulnerability's lack of authentication beyond a weak password directly enables brute force/trial-and-error password guessing (T1110.001) to exploit the exposed remote connection add-on (T1133 External Remote Services) for full system control and command execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-41070Shared CWE-287
CVE-2026-44058Shared CWE-287
CVE-2026-27856Shared CWE-287
CVE-2025-14002Shared CWE-287
CVE-2026-0407Shared CWE-287
CVE-2024-11322Shared CWE-287
CVE-2025-71279Shared CWE-287
CVE-2024-13804Shared CWE-287
CVE-2025-56752Shared CWE-287
CVE-2024-57046Shared CWE-287

Affected Assets

Nvda Addons
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces management of authenticators including minimum password length and complexity requirements, directly preventing the use of weak, easy-to-guess passwords under 4-6 characters on over 1,000 affected systems.

prevent

Limits or blocks system access after a defined number of unsuccessful logon attempts, mitigating brute force and trial-and-error attacks on the remote connection passwords.

prevent

Requires authorized remote access with robust identification and authentication mechanisms plus protective measures, addressing the lack of additional authentication or computer verification beyond passwords in NVDA Remote add-ons.

References