SYS::ONLINE
Wasteland.
Briefs779
Issues14
SinceFeb 2026
LIVE
⚡ Active KEV CVE-2026-35075 2026-06-03

CVE-2026-35075: Hard-Coded Firmware Password Grants Unauthenticated Full Device Access

"A critical (CVSS 9.8) vulnerability disclosed via CERT@VDE allows an unauthenticated remote attacker to recover a default, hard-coded password from a firmware image and gain full access to affected devices."

A critical (CVSS 9.8) vulnerability disclosed via CERT@VDE allows an unauthenticated remote attacker to recover a default, hard-coded password from a firmware image and gain full access to affected devices.

What Is It

CVE-2026-35075 is a hard-coded credentials weakness (CWE-1393) in which a default password is embedded in the device firmware image. Because the credential is static and recoverable from the firmware itself, any attacker who extracts it can authenticate against affected devices over the network without prior access or interaction. NVD lists the issue as "Received" with a CVSS v3.1 base score of 9.8 (Critical) and a CVSS v4.0 secondary score of 9.3 (Critical). The vector, AV:N/AC:L/PR:N/UI:N/C:H/I:H/A:H, indicates a fully remote, low-complexity attack requiring no privileges or user interaction, with high impact on confidentiality, integrity, and availability.

Why It Matters

Hard-coded firmware credentials are among the most damaging classes of device flaws because the secret cannot be rotated by end users and is identical across every shipped unit. Once a researcher or attacker pulls the password from one firmware image, every device on that image becomes trivially compromisable. The advisory describes the outcome bluntly: "full access to all affected devices." There is no indication in the supplied source material that CISA KEV has added this CVE or confirmed active exploitation at this time.

What's Vulnerable

The NVD record does not enumerate affected CPEs in the supplied data. Identification of specific affected products and firmware versions is published by CERT@VDE in advisory VDE-2026-039, which is the authoritative reference for scope. Operators of VDE-listed industrial or embedded devices should consult that advisory directly to determine exposure.

Patch Status

The supplied NVD record does not include explicit patch metadata or a remediation directive beyond linking the CERT@VDE advisory. Asset owners should follow the mitigation and fixed-firmware guidance published at VDE-2026-039. Where a vendor fix is not yet available, network-level isolation of affected devices from untrusted networks is the standard interim control for hard-coded credential flaws of this severity.

Sources