HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-35075Published Modified CNA CERTVDE

CVE-2026-35075: Hardcoded default Password for Service Account

An unauthenticated remote attacker can recover a default, hard coded password from a firmware image and thus gain full access to all affected devices.

Metrics

CVSS v4.0
9.3
Severity
CRITICAL
Fixed in
V6_0_0_7
Affected Products
18

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is an authentication bypass via hardcoded credentials affecting the MBS firmware product line (Single-A, Double-A Profibus, Double-A x-link, Single-X, Double-X CAN, Double-X DALI, Double-X KNX, and Double-X LON variants), all versions from V1_0_0_0 up to but not including V6_0_0_7. The vulnerability is reachable over the network without any prior authentication: an attacker extracts the hardcoded default service account password from a firmware image and uses it to log in remotely. Successful exploitation gives the attacker full administrative access to affected devices, with high-impact read, write, and availability control over the device itself. A patched-image rebuild at V6_0_0_7 is available on HarborGuard for environments running an affected firmware version.

HarborGuard Coverage

Detection

Detection capability for CVE-2026-35075 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream feeds, including internally built or repackaged firmware-derived container images. Any image in a customer registry or CI/CD pipeline carrying an affected MBS firmware version below V6_0_0_7 is flagged automatically.

Available
Triage

HarborGuard surfaces this CVE with its CVSS v4.0 score of 9.3 (Critical), and per-environment compliance policy weighting is applied to prioritize routing. Findings are delivered to the appropriate team inbox within each customer organization based on configured ownership rules.

Available
Patch

A patched-image rebuild at V6_0_0_7 becomes available through HarborGuard once an affected image is identified in a customer environment. For customers who opt into auto-remediation, HarborGuard triggers a rebuild at the fix version, runs a regression test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must be able to reach the affected device service over the network; the CVSS vector specifies AV:N, meaning no local or physical access is required.

  • AuthenticationNot required

    No credentials are needed before exploitation; the attacker recovers the hardcoded password from the firmware image and uses it to authenticate, so there is no effective authentication barrier (PR:N).

  • Victim interactionNot required

    The attack is fully remote and automated; no user or administrator of the target device needs to take any action (UI:N).

  • Attack complexityDetail

    Attack complexity is low (AC:L), meaning the exploit is straightforward and repeatable without relying on race conditions, specific memory layouts, or other environmental factors.

Blast Radius

  • An attacker gains full administrative access to the targeted device, reading all stored configuration, credentials, and operational data on the device.
  • The attacker can write or modify device configuration and operational state, including altering building-automation or industrial-control parameters depending on the device role.
  • The attacker can disrupt or deny availability of the affected device, taking it offline or rendering it non-functional.
  • All MBS device variants from V1_0_0_0 onward are affected, so a single recovered password applies uniformly across the entire affected product family.

How HarborGuard Handles This

Available on HarborGuard: detection and remediation capability for CVE-2026-35075 is ready for all customer environments scanning MBS firmware-based images. For environments with auto-remediation enabled, HarborGuard can trigger a rebuild at the patched version V6_0_0_7, run a regression test, and open a pull request against affected workloads; for Critical-severity issues, the median time from CVE publication to a merged patch PR is around 90 minutes in environments with auto-remediation enabled. Where compliance policy requires manual approval, the rebuilt image at V6_0_0_7 is staged and a finding is routed to the owning team for review. Because the hardcoded password is embedded in the firmware image itself, updating to V6_0_0_7 is the definitive fix; as an interim compensating control before patching, customers can apply network-policy rules to restrict inbound access to affected device management interfaces and use egress filtering to limit lateral movement from a compromised device.

See how HarborGuard automates this

Fix available

V6_0_0_7
Affected packages
  • MBS / Single-A
    < V6_0_0_7 (from V1_0_0_0)
  • MBS / Double-A Profibus
    < V6_0_0_7 (from V1_0_0_0)
  • MBS / Double-A x-link
    < V6_0_0_7 (from V1_0_0_0)
  • MBS / Single-X
    < V6_0_0_7 (from V1_0_0_0)
  • MBS / Double-X CAN
    < V6_0_0_7 (from V1_0_0_0)
  • MBS / Double-X DALI
    < V6_0_0_7 (from V1_0_0_0)
  • MBS / Double-X KNX
    < V6_0_0_7 (from V1_0_0_0)
  • MBS / Double-X LON
    < V6_0_0_7 (from V1_0_0_0)
  • MBS / Double-X M-Bus
    < V6_0_0_7 (from V1_0_0_0)
  • MBS / Double-X PROFINET
    < V6_0_0_7 (from V1_0_0_0)
  • MBS / Double-X x-link
    < V6_0_0_7 (from V1_0_0_0)
  • MBS / Triple-X KNX+DALI
    < V6_0_0_7 (from V1_0_0_0)
  • MBS / Triple-X KNX+LON
    < V6_0_0_7 (from V1_0_0_0)
  • MBS / Triple-X KNX+M-Bus
    < V6_0_0_7 (from V1_0_0_0)
  • MBS / Triple-X PROFINET+DALI
    < V6_0_0_7 (from V1_0_0_0)
  • MBS / Triple-X PROFINET+KNX
    < V6_0_0_7 (from V1_0_0_0)
  • MBS / Triple-X PROFINET+LON
    < V6_0_0_7 (from V1_0_0_0)
  • MBS / Triple-X PROFINET+M-Bus
    < V6_0_0_7 (from V1_0_0_0)
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
References