A critical configuration flaw allows for the use of empty administrative credentials, granting network-adjacent attackers full control over the device's management channels.

The device's web management interface fails to enforce password complexity, specifically allowing the administrator username and password to be set to blank values. Once configured this way, an attacker can authenticate without credentials over both the web interface and Telnet services.

This vulnerability effectively removes all security barriers for the device, allowing an attacker to modify network configurations, intercept traffic, or disable the device entirely. With a CVSS score of 9.8, the risk is critical as it facilitates unauthorized administrative access with minimal effort from a network-adjacent position.

Immediate Action: Immediately configure a strong, non-blank administrative password for both the web management interface and any associated CLI services like Telnet.

Proactive Monitoring: Audit device configurations to ensure no accounts possess empty or default credentials and monitor for unauthorized logins on management ports.

Compensating Controls: Disable the Telnet service in favor of SSH and restrict access to the web management interface to a dedicated management VLAN.

Public Exploit Available: No

The ability to maintain administrative accounts with no password is a significant security failure. It is imperative that administrators immediately enforce password policies and update the device firmware if a patch is available to prevent the setting of blank credentials in the future.