CVE-2026-24346

Critical

Published: 27 January 2026

Published

27 January 2026

Modified

05 February 2026

KEV Added

—

Patch

—

CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

EPSS Score 0.0004 10.8th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-24346 is a critical-severity Use of Hard-coded Credentials (CWE-798) vulnerability in Nimbletech Ezcast Pro Dongle Ii Firmware. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Default Accounts (T1078.001); ranked at the 10.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and IA-5 (Authenticator Management).

Threat & Defense at a Glance

What attackers do: exploitation maps to Default Accounts (T1078.001). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

IA-5 Authenticator Management good match

prevent

IA-5 requires management of authenticators including verification, protection from compromise, and prohibition of hard-coded or default credentials, directly preventing unauthorized access via well-known defaults.

AC-2 Account Management good match

prevent

AC-2 mandates account management processes that identify, modify, disable, or remove default accounts, blocking exploitation of well-known credentials in the Admin UI.

SI-2 Flaw Remediation good match

prevent

SI-2 ensures timely identification, assessment, and remediation of flaws like CVE-2026-24346, preventing exploitation through patches or configuration updates that eliminate default credentials.

MITRE ATT&CK Enterprise TechniquesAI

T1078.001 Default Accounts Stealth

Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.

attack.mitre.org →

Why these techniques?

Default/hard-coded credentials (CWE-798) on public Admin UI directly enable use of default accounts for initial access.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Use of well-known default credentials in Admin UI of EZCast Pro II version 1.17478.146 allows attackers to access protected areas in the web application

Deeper analysisAI

CVE-2026-24346 involves the use of well-known default credentials in the Admin UI of EZCast Pro II version 1.17478.146, enabling unauthorized access to protected areas of the web application. Published on 2026-01-27, this vulnerability is classified under CWE-798 (Use of Hard-coded Credentials) and carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N), indicating critical severity due to its high potential for confidentially and integrity compromise.

Remote, unauthenticated attackers can exploit this vulnerability over the network with low attack complexity and no user interaction required. Exploitation allows attackers to bypass authentication and gain access to sensitive administrative interfaces, potentially leading to high-impact confidentiality and integrity violations, such as data exposure or unauthorized modifications, while availability remains unaffected.

Mitigation guidance is available in the advisory published at https://hub.ntc.swiss/ntcf-2025-13993.