Cyber Resilience

CVE-2026-24346

High

Published: 27 January 2026

Published
27 January 2026
Modified
05 February 2026
KEV Added
Patch
CVSS Score v4 7.6 CVSS:4.0/AV:A/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:U/V:X/RE:X/U:X
EPSS Score 0.0023 13.1th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-24346 is a high-severity Use of Hard-coded Credentials (CWE-798) vulnerability in Nimbletech Ezcast Pro Dongle Ii Firmware. Its CVSS base score is 7.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Default Accounts (T1078.001); ranked at the 13.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and IA-5 (Authenticator Management).

Deeper analysis

CVE-2026-24346 involves the use of well-known default credentials in the Admin UI of EZCast Pro II version 1.17478.146, enabling unauthorized access to protected areas of the web application. Published on 2026-01-27, this vulnerability is classified under CWE-798 (Use of Hard-coded Credentials) and carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N), indicating critical severity due to its high potential for confidentially and integrity compromise.

Remote, unauthenticated attackers can exploit this vulnerability over the network with low attack complexity and no user interaction required. Exploitation allows attackers to bypass authentication and gain access to sensitive administrative interfaces, potentially leading to high-impact confidentiality and integrity violations, such as data exposure or unauthorized modifications, while availability remains unaffected.

Mitigation guidance is available in the advisory published at https://hub.ntc.swiss/ntcf-2025-13993.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Use of well-known default credentials in Admin UI of EZCast Pro II version 1.17478.146 allows attackers to access protected areas in the web application

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1078.001 Default Accounts Stealth
Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
Why these techniques?

Default/hard-coded credentials (CWE-798) on public Admin UI directly enable use of default accounts for initial access.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-24345Same product: Nimbletech Ezcast Pro Dongle Ii
CVE-2026-26218Shared CWE-798
CVE-2026-22900Shared CWE-798
CVE-2024-51547Shared CWE-798
CVE-2024-46433Shared CWE-798
CVE-2019-25322Shared CWE-798
CVE-2026-27785Shared CWE-798
CVE-2020-37135Shared CWE-798
CVE-2026-25803Shared CWE-798
CVE-2025-33089Shared CWE-798

Affected Assets

nimbletech
ezcast pro dongle ii firmware
1.17478.146

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

IA-5 requires management of authenticators including verification, protection from compromise, and prohibition of hard-coded or default credentials, directly preventing unauthorized access via well-known defaults.

prevent

AC-2 mandates account management processes that identify, modify, disable, or remove default accounts, blocking exploitation of well-known credentials in the Admin UI.

prevent

SI-2 ensures timely identification, assessment, and remediation of flaws like CVE-2026-24346, preventing exploitation through patches or configuration updates that eliminate default credentials.

References