A critical vulnerability exists in multiple products where devices are shipped without a default password, and setting one is not enforced. This allows an unauthenticated remote attacker to gain immediate and complete administrative control over affected systems, posing a severe risk of data breach, service disruption, and further network compromise.

The vulnerability stems from an insecure default configuration. Affected devices are shipped from the factory without a password set for administrative accounts. The device's initial setup process does not force the user to create a password, leaving the administrative interface completely unprotected. A remote attacker who can access the device over the network can simply log in with a blank password field to gain full, privileged access.

This vulnerability is rated as critical severity with a CVSS score of 9.8. Successful exploitation results in a complete compromise of the affected device, leading to a total loss of confidentiality, integrity, and availability. An attacker can steal sensitive data, install malware such as ransomware, disrupt critical operations supported by the device, or use the compromised system as a pivot point to launch further attacks against the internal network. The ease of exploitation makes this a significant and immediate threat to the organization.

Immediate Action: Identify all affected devices and immediately set a strong, unique administrative password. Update the firmware of all affected devices to the latest version provided by the vendor, which may enforce password creation. Monitor systems for any signs of compromise that may have occurred prior to remediation and review all access logs for unauthorized or suspicious login events.

Proactive Monitoring: Continuously monitor network traffic for anomalous connection attempts to the management interfaces of affected devices. Configure logging to capture all authentication attempts (both successful and failed) and review these logs for connections from unexpected internal or external IP addresses. Monitor for any unauthorized configuration changes, the creation of new user accounts, or unusual outbound traffic from these devices.

Compensating Controls: If patching or setting a password is not immediately possible, implement network segmentation to isolate the vulnerable devices from the rest of the corporate network and the internet. Apply strict firewall rules to restrict access to the device's management interface, allowing connections only from a limited set of trusted administrative workstations.

Public Exploit Available: False

Given the critical CVSS score of 9.8 and the trivial nature of exploitation, this vulnerability poses an extreme risk and must be addressed immediately. We strongly recommend that all affected products be identified and secured by setting a strong password without delay. Although this CVE is not currently on the CISA KEV list, its high severity warrants urgent attention. If immediate remediation is not possible, apply compensating controls such as network isolation and access control lists to mitigate the risk of compromise.