CVE-2025-26410

Critical

Published: 11 February 2025

Published

11 February 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0034 56.7th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-26410 is a critical-severity Use of Hard-coded Credentials (CWE-798) vulnerability in Sec Consult (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Credentials In Files (T1552.001); ranked in the top 43.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and IA-5 (Authenticator Management).

Threat & Defense at a Glance

What attackers do: exploitation maps to Credentials In Files (T1552.001) and 3 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

IA-5 Authenticator Management good match

prevent

Directly prohibits the use of hard-coded credentials as authenticators in firmware, addressing the core CWE-798 vulnerability.

AC-2 Account Management good match

prevent

Mandates management of accounts to disable or remove unnecessary backdoor users like the hard-coded user and root credentials in the firmware.

SI-2 Flaw Remediation good match

preventrecover

Requires flaw remediation through timely firmware updates to BSP >=6.4.1, which removes the backdoor user and mitigates the vulnerability.

MITRE ATT&CK Enterprise TechniquesAI

T1552.001 Credentials In Files Credential Access

Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.

attack.mitre.org →

T1110.002 Password Cracking Credential Access

Adversaries may use password cracking to attempt to recover usable credentials, such as plaintext passwords, when credential material such as password hashes are obtained.

attack.mitre.org →

T1078.001 Default Accounts Stealth

Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.

attack.mitre.org →

T1059.004 Unix Shell Execution

Adversaries may abuse Unix shell commands and scripts for execution.

attack.mitre.org →

Why these techniques?

Hard-coded credentials in firmware directly enable T1552.001 (credentials in files), T1110.002 (password cracking), T1078.001 (default accounts for auth), and T1059.004 (Unix shell access via serial).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

The firmware of all Wattsense Bridge devices contain the same hard-coded user and root credentials. The user password can be easily recovered via password cracking attempts. The recovered credentials can be used to log into the device via the login…

shell that is exposed by the serial interface. The backdoor user has been removed in firmware BSP >= 6.4.1.

Deeper analysisAI

CVE-2025-26410, published on 2025-02-11, is a critical vulnerability (CVSS 3.1 score of 9.8, vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) stemming from CWE-798: Use of Hard-coded Credentials. It affects the firmware of all Wattsense Bridge devices, where identical hard-coded user and root credentials are embedded. The user password is susceptible to easy recovery through password cracking attempts.

An attacker with access to the firmware can recover the user credentials via cracking and use them to authenticate to the device's login shell, which is exposed via the serial interface. This grants shell access, including root privileges in affected versions, enabling high-impact compromise of confidentiality, integrity, and availability.

Mitigation is available in firmware BSP version 6.4.1 and later, where the backdoor user has been removed. For further details, consult advisories including SEC Consult at https://r.sec-consult.com/wattsense, Wattsense release notes at https://support.wattsense.com/hc/en-150/articles/13366066529437-Release-Notes, and Full Disclosure at http://seclists.org/fulldisclosure/2025/Feb/9.