CVE-2026-25715

Critical

Published: 20 February 2026

Published

20 February 2026

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0010 27.8th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-25715 is a critical-severity Weak Password Requirements (CWE-521) vulnerability in Cisa (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Default Accounts (T1078.001); ranked at the 27.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and IA-2 (Identification and Authentication (Organizational Users)).

Threat & Defense at a Glance

What attackers do: exploitation maps to Default Accounts (T1078.001) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-14 Permitted Actions Without Identification or Authentication good match

prevent

Directly prohibits administrative access to management interfaces without identification or authentication, addressing the core issue of empty credential acceptance.

IA-5 Authenticator Management good match

prevent

Requires establishment of authenticator content with minimum strength and management procedures that prevent blank or weak passwords from being set or accepted.

IA-2 Identification and Authentication (Organizational Users) good match

prevent

Mandates unique identification and authentication for organizational users accessing the management interfaces, preventing unauthenticated administrative control.

MITRE ATT&CK Enterprise TechniquesAI

T1078.001 Default Accounts Stealth

Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.

attack.mitre.org →

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Vulnerability enables authentication bypass using empty/default credentials (T1078.001) on public-facing web management interface and Telnet (T1190).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

The web management interface of the device allows the administrator username and password to be set to blank values. Once applied, the device permits authentication with empty credentials over the web management interface and Telnet service. This effectively disables authentication…

across all critical management channels, allowing any network-adjacent attacker to gain full administrative control without credentials.

Deeper analysisAI

CVE-2026-25715, published on 2026-02-20, is a critical vulnerability in the web management interface of the device, assigned CVSS score 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and mapped to CWE-521. The issue allows the administrator username and password to be set to blank values. Once applied, the device accepts authentication with empty credentials over both the web management interface and Telnet service, effectively disabling authentication for all critical management channels.

A network-adjacent attacker can exploit this vulnerability without privileges or user interaction by simply attempting to authenticate using empty credentials. Successful exploitation grants full administrative control of the device, enabling high-impact confidentiality, integrity, and availability violations.

Mitigation guidance is provided in CISA ICS Advisory ICSA-26-050-03, available at https://www.cisa.gov/news-events/ics-advisories/icsa-26-050-03 and the corresponding CSAF JSON file at https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-050-03.json.