SDMC NE6037 cable modem routers ship with a hardcoded password in their web management recovery endpoints, allowing unauthenticated attackers to gain root-level remote access over the network.
What Is It
CVE-2026-24444 is a hardcoded credential vulnerability (CWE-798) in the web management interface of SDMC NE6037 cable modem routers. The flaw lives in the recovery endpoints mgmt.php and npcmd.php. By submitting the hardcoded credential to these endpoints over HTTP, an unauthenticated attacker can gain root access to the device. The same credential can be used to enable the filtered SSH and Telnet services on the modem, opening unauthenticated root-level remote access to the underlying system.
The vulnerability carries a CVSS 3.1 base score of 9.8 (Critical) and a CVSS 4.0 base score of 9.3 (Critical), with a vector of AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, fully network-reachable, no privileges or user interaction required, and full impact to confidentiality, integrity, and availability.
Why It Matters
A hardcoded password reachable from the network is a backdoor in everything but name. Any attacker who can reach the router's web management interface, including, depending on exposure, anyone on the internet, can take full root control of the device, pivot inside the home or small business network it fronts, intercept or redirect traffic, and persist by enabling SSH/Telnet for follow-on access. Cable modem routers are typically internet-facing edge devices, magnifying the blast radius. The credential cannot be rotated or disabled by the end user, so the only mitigations are firmware-level.
What's Vulnerable
- Vendor / device: SDMC NE6037 cable modem router
- Affected firmware:
7.1.6.0.25and7.1.6.1.9_B9 - Affected components: Web management interface recovery endpoints
mgmt.phpandnpcmd.php - Weakness: CWE-798 (Use of Hard-coded Credentials)
Patch Status
The supplied NVD record does not list a vendor patch, fixed firmware version, or mitigation guidance, and the vulnerability is not currently listed in the CISA KEV catalog (no KEV entry was provided). Operators of affected SDMC NE6037 devices should treat the web management interface as untrusted: restrict it from the WAN, segment the device from sensitive networks, and monitor the vendor for a firmware update addressing the recovery endpoints.