Cyber Resilience

CVE-2026-8076

Critical

Published: 08 May 2026

Published
08 May 2026
Modified
08 May 2026
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0032 24.3th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-8076 is a critical-severity Use of Weak Credentials (CWE-1391) vulnerability in Itresit (inferred from references). Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Password Guessing (T1110.001); ranked at the 24.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Weak credentials in the CashDro 3 web administration panel, version 24.01.00.26, where the platform allows the use of numeric PINs for user authentication. The system supports the use of PIN-based credentials, maintaining compatibility with POS software integrations deployed since 2012.…

more

This could allow an attacker to easily perform a brute-force attack against a user and gain access by trying different PINs without the account being locked. Successful exploitation of this vulnerability could result in unauthorized access to confidential configuration settings, compromising the security of the system.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1110.001 Password Guessing Credential Access
Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts.
T1078 Valid Accounts Stealth
Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
Why these techniques?

Vulnerability explicitly enables brute-force guessing of weak numeric PIN credentials (no lockout) to obtain valid accounts on a web admin panel.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-23853Shared CWE-1391
CVE-2025-2229Shared CWE-1391
CVE-2026-22910Shared CWE-1391
CVE-2025-67114Shared CWE-1391
CVE-2026-39920Shared CWE-1391
CVE-2024-52331Shared CWE-1391
CVE-2026-44351Shared CWE-1391
CVE-2026-22886Shared CWE-1391
CVE-2024-43659Shared CWE-1391

Affected Assets

Itresit
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-1391

Ensuring sufficient strength of mechanism for authenticators prevents use of weak credentials.

addresses: CWE-1391

Enforces use of credentials that comply with standards rather than weak credentials for module access.

References