Cyber Resilience

CVE-2026-1221

Critical

Published: 20 January 2026

Published
20 January 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0044 34.8th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-1221 is a critical-severity Use of Hard-coded Credentials (CWE-798) vulnerability in Org (inferred from references). Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Default Accounts (T1078.001); ranked at the 34.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SA-8 (Security and Privacy Engineering Principles).

Deeper analysis

CVE-2026-1221 is a Use of Hard-coded Credentials vulnerability (CWE-798) affecting the PrismX MX100 AP controller developed by BROWAN COMMUNICATIONS. The flaw involves hardcoded database credentials stored in the firmware, which unauthenticated remote attackers can exploit to log in to the database. Published on 2026-01-20, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its network accessibility, low complexity, and potential for high-impact confidentiality, integrity, and availability disruptions.

Unauthenticated remote attackers can exploit this vulnerability over the network without privileges or user interaction. Successful exploitation grants database login access via the hardcoded credentials, enabling attackers to potentially read sensitive data, modify database contents, or disrupt services, aligning with the high impact ratings across confidentiality, integrity, and availability.

Advisories from TWCERT/CC detail the issue, available at https://www.twcert.org.tw/en/cp-139-10643-2f8d7-2.html and https://www.twcert.org.tw/tw/cp-132-10642-3b808-1.html. Security practitioners should consult these for recommended mitigations, such as firmware updates or credential rotation if available from the vendor.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

PrismX MX100 AP controller developed by BROWAN COMMUNICATIONS has a Use of Hard-coded Credentials vulnerability, allowing unauthenticated remote attackers to log in to the database using hardcoded database credentials stored in the firmware.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1078.001 Default Accounts Stealth
Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Hardcoded credentials enable use of default accounts (T1078.001) for unauthenticated remote database login; vulnerability in public-facing network device facilitates initial access via exploit (T1190).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-25202Shared CWE-798
CVE-2024-8893Shared CWE-798
CVE-2023-53983Shared CWE-798
CVE-2024-57040Shared CWE-798
CVE-2026-22769Shared CWE-798
CVE-2025-67418Shared CWE-798
CVE-2025-9497Shared CWE-798
CVE-2026-3873Shared CWE-798
CVE-2025-10850Shared CWE-798
CVE-2022-50696Shared CWE-798

Affected Assets

Org
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-2 requires timely identification, reporting, and correction of flaws like hardcoded credentials through vendor firmware updates.

prevent

IA-5 mandates secure management of authenticators, directly prohibiting the embedding of hardcoded database credentials in firmware.

prevent

SA-8 applies security engineering principles during system development to prevent vulnerabilities such as hardcoded credentials in firmware.

References