CVE-2025-26410

The firmware of all Wattsense Bridge devices contain the same hard-coded user and root credentials. The user password can be easily recovered via password cracking attempts. The recovered credentials can be used to log into the device via the login shell that is exposed by the serial interface. The backdoor user has been removed in firmware BSP >= 6.4.1.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://r.sec-consult.com/wattsense
https://support.wattsense.com/hc/en-150/articles/13366066529437-Release-Notes
http://seclists.org/fulldisclosure/2025/Feb/9

Configurations

No configuration.

History

03 Nov 2025, 22:18

Type	Values Removed	Values Added
References		() http://seclists.org/fulldisclosure/2025/Feb/9 -

Information

Published : 2025-02-11 10:15

Updated : 2025-11-03 22:18

NVD link : CVE-2025-26410

Mitre link : CVE-2025-26410

CVE.ORG link : CVE-2025-26410

JSON object : View

Products Affected

No product.

CWE

CWE-798

Use of Hard-coded Credentials

9.8 /10