CVE-2025-26326
Published: 28 February 2025
Summary
CVE-2025-26326 is a high-severity Improper Authentication (CWE-287) vulnerability in Nvda Addons (inferred from references). Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Password Guessing (T1110.001); ranked in the top 12.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-17 (Remote Access) and AC-7 (Unsuccessful Logon Attempts).
Deeper analysis
The vulnerability CVE-2025-26326 affects the NVDA Remote version 2.6.4 and Tele NVDA Remote version 2025.3.3 remote connection add-ons. It arises because these add-ons accept any password entered by the user and lack additional authentication or computer verification mechanisms, allowing brute-force or trial-and-error guessing of weak passwords that many users have configured.
A remote attacker who knows or can guess the password can exploit the flaw to obtain complete control of the target system. This enables arbitrary command execution, file modification, and full compromise of the remote host. More than 1,000 systems have been observed using easily guessable passwords of four to six characters or common sequences.
The listed references consist of the upstream GitHub repositories for the affected add-ons, a proof-of-concept repository, and the NVDA add-on distribution sites; no specific mitigation guidance or patch details are provided in the available information. The EPSS score remains low at a current value of 0.0341 with a peak of 0.0364.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-5957
Vulnerability details
A vulnerability was identified in the NVDA Remote (version 2.6.4) and Tele NVDA Remote (version 2025.3.3) remote connection add-ons, which allows an attacker to obtain total control of the remote system by guessing a weak password. The problem occurs because…
more
these add-ons accept any password entered by the user and do not have an additional authentication or computer verification mechanism. Tests indicate that more than 1,000 systems use easy-to-guess passwords, many with less than 4 to 6 characters, including common sequences. This allows brute force attacks or trial-and-error attempts by malicious invaders. The vulnerability can be exploited by a remote attacker who knows or can guess the password used in the connection. As a result, the attacker gains complete access to the affected system and can execute commands, modify files, and compromise user security.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability's lack of authentication beyond a weak password directly enables brute force/trial-and-error password guessing (T1110.001) to exploit the exposed remote connection add-on (T1133 External Remote Services) for full system control and command execution.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces management of authenticators including minimum password length and complexity requirements, directly preventing the use of weak, easy-to-guess passwords under 4-6 characters on over 1,000 affected systems.
Limits or blocks system access after a defined number of unsuccessful logon attempts, mitigating brute force and trial-and-error attacks on the remote connection passwords.
Requires authorized remote access with robust identification and authentication mechanisms plus protective measures, addressing the lack of additional authentication or computer verification beyond passwords in NVDA Remote add-ons.