Cyber Resilience

CVE-2026-7554

LowPublic PoC

Published: 01 May 2026

Published
01 May 2026
Modified
06 May 2026
KEV Added
Patch
CVSS Score v4 2.9 CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0110 61.5th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-7554 is a low-severity Weak Password Recovery Mechanism for Forgotten Password (CWE-640) vulnerability in Dlink M60 Firmware. Its CVSS base score is 2.9 (Low).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 38.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A vulnerability was determined in D-Link M60 up to 1.20B02. Affected by this issue is some unknown functionality of the file /usr/bin/httpd. This manipulation causes weak password recovery. The attack can be initiated remotely. A high degree of complexity is…

more

needed for the attack. The exploitation is known to be difficult. The exploit has been publicly disclosed and may be utilized.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Remote weakness in public httpd service enables exploitation of password recovery for account access.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

Affected Assets

dlink
m60 firmware
1.20b02

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-640

Establishing procedures for lost or compromised authenticators addresses weak password recovery mechanisms.

References