CVE-2026-27507
Published: 24 February 2026
Summary
CVE-2026-27507 is a critical-severity Use of Hard-coded Credentials (CWE-798) vulnerability in Binardat 10G08-0800Gsm Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Default Accounts (T1078.001); ranked at the 19.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and IA-5 (Authenticator Management).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires changing default authenticators prior to first use and ensuring sufficient strength of mechanism, directly mitigating the use of unchangeable hard-coded administrative credentials.
Mandates changing default content of system accounts and establishing procedures for account management, preventing unauthorized full administrative access via hard-coded credentials.
Requires identification, reporting, testing, and installation of firmware updates to remediate flaws like hard-coded credentials, addressing the root cause of this CVE.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Hard-coded unchangeable admin credentials (CWE-798) on a remotely accessible web-managed switch directly enable use of default accounts for initial access (T1078.001) to external remote management services (T1133) and public-facing applications (T1190).
NVD Description
Binardat 10G08-0800GSM network switch firmware version V300SP10260209 and prior contain hard-coded administrative credentials that cannot be changed by users. Knowledge of these credentials allows full administrative access to the device.
Deeper analysisAI
CVE-2026-27507 is a critical vulnerability in the Binardat 10G08-0800GSM network switch firmware, affecting version V300SP10260209 and prior releases. It involves hard-coded administrative credentials that users cannot modify, enabling full administrative access upon disclosure of these credentials. Classified as CWE-798 (Use of Hard-coded Credentials), the issue carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and was published on 2026-02-24.
The vulnerability can be exploited by any remote attacker with network access to the device, requiring no privileges, user interaction, or special complexity. Exploitation allows complete administrative control, compromising confidentiality, integrity, and availability to a high degree, such as reconfiguring the switch, extracting sensitive data, or disrupting network operations.
Advisories provide further details on the issue, including the VulnCheck advisory at https://www.vulncheck.com/advisories/binardat-10g08-0800gsm-network-switch-hard-coded-credentials and the vendor product page at https://www.binardat.com/products/8-port-10-gigabit-sfp-managed-switch,-support-1g-sfp-and-10g-sfp-module,-160gbps-bandwidth,-l3-web-managed,-metal-fanless-fiber-binardat-network-switch. Security practitioners should consult these sources for recommended mitigations, as no patch information is specified in the available details.
Details
- CWE(s)