How is CVE-2026-35905 exploited?

Network reachability (required): The affected service is exposed over the network, meaning an attacker can reach it from the internet or any routable network path without requiring local or physical access. Authentication (not-required): The hardcoded "superadmin" credential is publicly known and embedded in the firmware, so no legitimate account or prior access is needed to authenticate as root. Victim interaction (not-required): Exploitation is fully attacker-driven and requires no action from any user or administrator on the target device. Attack complexity (info): Attack complexity is low: the exploit is reliable and condition-free, requiring only network access and knowledge of the fixed credential with no timing, race conditions, or environmental factors to overcome.

What is the impact of CVE-2026-35905?

An attacker gains a root shell on the device, giving full control over all running processes and configuration. All data stored on or transmitted through the device becomes readable, including credentials, session tokens, and network traffic. An attacker can modify device configuration, routing rules, or firmware settings, persisting access or redirecting traffic. The device can be crashed or rendered permanently inoperable, disrupting connectivity for any downstream network segment it serves.

Back to search

CRITICALCVE-2026-35905Published 2026-06-04Modified 2026-06-08CNA mitre

CVE-2026-35905: T3 Technology CPE models T625Pro v1

T3 Technology CPE models T625Pro v1.0.07, T6825G v1.0.03, and T7281 v1.0.03 were discovered to contain a hardcoded password for root access under the "superadmin" account.

CVSS v3.1: 9.8
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

A hardcoded root password vulnerability affects T3 Technology CPE models T625Pro v1.0.07, T6825G v1.0.03, and T7281 v1.0.03. The flaw is reachable over the network with no authentication required, because the fixed "superadmin" credential is baked into the firmware and cannot be changed by normal configuration. Successful exploitation grants an attacker full root access to the device, enabling complete confidentiality loss, data tampering, and service disruption. No upstream fix has been published; HarborGuard tracks the advisory and will make a patched rebuild available the moment a fix is released.

HarborGuard Coverage

Detection

Detection capability is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images in connected registries and build pipelines, including custom-built firmware or base images derived from affected T3 Technology software. Coverage extends to any image layer that bundles the vulnerable firmware version.

Available

Triage

HarborGuard is capable of scoring this finding at CVSS 9.8 Critical and weighting it against each customer environment's compliance policy to determine urgency. Triage routing is available to direct the alert to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

Because no upstream fix version has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment T3 Technology ships a remediated firmware version. In the interim, the finding remains open and visible in each customer's vulnerability queue with full advisory context.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The affected service is exposed over the network, meaning an attacker can reach it from the internet or any routable network path without requiring local or physical access.
AuthenticationNot required
The hardcoded "superadmin" credential is publicly known and embedded in the firmware, so no legitimate account or prior access is needed to authenticate as root.
Victim interactionNot required
Exploitation is fully attacker-driven and requires no action from any user or administrator on the target device.
Attack complexityDetail
Attack complexity is low: the exploit is reliable and condition-free, requiring only network access and knowledge of the fixed credential with no timing, race conditions, or environmental factors to overcome.

Blast Radius

An attacker gains a root shell on the device, giving full control over all running processes and configuration.
All data stored on or transmitted through the device becomes readable, including credentials, session tokens, and network traffic.
An attacker can modify device configuration, routing rules, or firmware settings, persisting access or redirecting traffic.
The device can be crashed or rendered permanently inoperable, disrupting connectivity for any downstream network segment it serves.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-35905 is active across customer environments scanning images that include T3 Technology T625Pro, T6825G, or T7281 firmware components. Because no upstream patch exists, HarborGuard monitors the advisory on every ingest cycle and will trigger a patched-image rebuild automatically when T3 Technology publishes a fix. For customers with auto-remediation enabled, that rebuild will be accompanied by a regression-test run and a PR opened against affected workloads. While the vulnerability remains unpatched, recommended compensating controls include network-policy isolation to restrict management-plane access to trusted administrative subnets, egress filtering to limit what the device can initiate outbound, and disabling remote root login interfaces where the device firmware permits feature-flag gating.

See how HarborGuard automates this

Affected packages

n/a / n/a
n/a

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

Metrics

Get notified