Cyber Posture

CVE-2026-1803

High

Published: 03 February 2026

Published
03 February 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0003 9.6th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-1803 is a high-severity Use of Default Credentials (CWE-1392) vulnerability. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Default Accounts (T1078.001); ranked at the 9.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and CM-6 (Configuration Settings).

Threat & Defense at a Glance

What attackers do: exploitation maps to Default Accounts (T1078.001). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

IA-5 Authenticator Management good match
prevent

IA-5 requires management of authenticators including changing default credentials in the Dropbear SSH Service to prevent remote exploitation using known defaults.

AC-2 Account Management good match
prevent

AC-2 mandates account management processes to identify, modify, or disable accounts with default credentials in the SSH service, blocking unauthorized remote access.

CM-6 Configuration Settings good match
prevent

CM-6 enforces secure configuration settings for the Dropbear SSH Service on the Ziroom ZHOME device, specifically prohibiting default credentials.

MITRE ATT&CK Enterprise TechniquesAI

T1078.001 Default Accounts Stealth
Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
attack.mitre.org →
Why these techniques?

Vulnerability directly enables remote use of default credentials on exposed SSH service (CWE-1392), mapping to T1078.001 for initial access.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

A weakness has been identified in Ziroom ZHOME A0101 1.0.1.0. Impacted is an unknown function of the component Dropbear SSH Service. This manipulation causes use of default credentials. Remote exploitation of the attack is possible. The complexity of an attack…

more

is rather high. The exploitability is considered difficult. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

Deeper analysisAI

CVE-2026-1803 is a vulnerability affecting the Ziroom ZHOME A0101 1.0.1.0 device, specifically an unknown function within its Dropbear SSH Service component. The weakness enables the use of default credentials, mapped to CWE-1392, allowing remote exploitation. It carries a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact despite elevated attack complexity.

Remote attackers without privileges can exploit this over the network, bypassing user interaction, to leverage the default credentials in the Dropbear SSH Service. Exploitation is described as difficult and of high complexity, but success grants high-level access compromising confidentiality, integrity, and availability of the affected device.

Disclosure references, including GitHub repositories from Blackhole23-Lab detailing the SSH backdoor and proof-of-concept exploit, as well as VulDB entries, confirm the exploit is publicly available and could be used in attacks. The vendor was contacted early but provided no response, with no patches or mitigations documented in the advisories.

Details

CWE(s)
CWE-1392

CVEs Like This One

CVE-2025-8731Shared CWE-1392
CVE-2026-26341Shared CWE-1392
CVE-2025-1160Shared CWE-1392
CVE-2025-2398Shared CWE-1392
CVE-2025-54756Shared CWE-1392
CVE-2025-10542Shared CWE-1392
CVE-2026-27751Shared CWE-1392
CVE-2026-1972Shared CWE-1392
CVE-2022-50803Shared CWE-1392
CVE-2025-34516Shared CWE-1392

References