Hard-Coded Credentials in Wattsense Bridge Devices
CVE-2025-26410

9.8CRITICAL

Key Information:

Vendor: Wattsense
Status: Wattsense Bridge
Vendor: CVE Published:; 11 February 2025

What is CVE-2025-26410?

The firmware of Wattsense Bridge devices is compromised by the presence of hard-coded user and root credentials. These credentials can be easily exploited due to their recoverable nature through password cracking methods. Once retrieved, these credentials allow unauthorized access to the device via the exposed login shell on the serial interface. It is crucial to apply firmware updates, as the security flaw associated with the backdoor user account has been addressed in BSP versions 6.4.1 and later.

Affected Version(s)

Wattsense Bridge 0 < 6.4.1

References

https://r.sec-consult.com/wattsense

third-party-advisory

https://support.wattsense.com/hc/en-150/articles/13366066...

release-notes

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 11, 2025
Vulnerability Reserved
Feb 10, 2025

Credit

Constantin Schieber-Knöbl | SEC Consult Vulnerability Lab

Stefan Schweighofer | SEC Consult Vulnerability Lab

Steffen Robertz | SEC Consult Vulnerability Lab

JSON