CVE-2026-2564
Published: 16 February 2026
Summary
CVE-2026-2564 is a high-severity Weak Password Recovery Mechanism for Forgotten Password (CWE-640) vulnerability. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 19.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires identifying, reporting, and correcting the flaw in the /OutsideCmd password recovery mechanism through firmware upgrades as recommended by the advisory.
Mandates administrative procedures for managing lost or compromised authenticators, ensuring robust password recovery processes that prevent weak mechanisms like CWE-640.
Requires validation of inputs to functionalities like /OutsideCmd to block manipulative requests that exploit the weak password recovery vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote network exploitation of public-facing /OutsideCmd functionality (T1190) directly enables weak password recovery, facilitating unauthorized use of valid accounts (T1078).
NVD Description
A security flaw has been discovered in Intelbras VIP 3260 Z IA 2.840.00IB005.0.T. Affected by this vulnerability is an unknown functionality of the file /OutsideCmd. The manipulation results in weak password recovery. It is possible to launch the attack remotely.…
more
Attacks of this nature are highly complex. The exploitation appears to be difficult. It is recommended to upgrade the affected component.
Deeper analysisAI
CVE-2026-2564 is a security vulnerability affecting the Intelbras VIP 3260 Z IA firmware version 2.840.00IB005.0.T, specifically an unknown functionality within the /OutsideCmd file. The flaw enables weak password recovery, classified under CWE-640 (Weak Password Recovery Mechanism for Forgotten Password). It carries a CVSS v3.1 base score of 8.1 (High), with vector AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating network accessibility, high attack complexity, no required privileges or user interaction, unchanged scope, and high impacts to confidentiality, integrity, and availability. The vulnerability was published on 2026-02-16.
A remote attacker with no privileges can exploit this vulnerability over the network by manipulating the affected /OutsideCmd functionality, resulting in weak password recovery. Exploitation is described as highly complex and difficult, aligning with the high attack complexity (AC:H) metric. Successful exploitation could grant attackers significant access, potentially compromising the device's confidentiality, integrity, and availability at a high level.
VulDB advisories, referenced at https://vuldb.com/?ctiid.346171, https://vuldb.com/?id.346171, and https://vuldb.com/?submit.741776, recommend upgrading the affected component to mitigate the vulnerability. No additional patches or workarounds are detailed in the available information.
Details
- CWE(s)