CVE-2026-35075: Hardcoded Default Password in Firmware Image
A critical hardcoded credential vulnerability tracked as CVE-2026-35075 has been disclosed affecting embedded devices with a hardcoded default password embedded in their firmware. With a CVSS v3.1 score of 9.8 (Critical), an unauthenticated remote attacker can extract this password by downloading and analyzing the firmware image — then use it to gain full administrative access to all affected devices with zero exploitation complexity.
The vulnerability was published to the NIST NVD on June 3, 2026 and follows the well-documented CWE-259 (Use of Hard-coded Password) pattern, one of the most persistent and dangerous vulnerability classes in embedded and IoT device firmware.
Vulnerability Overview
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-35075 |
| CVSS Score | 9.8 (Critical) |
| CWE Classification | CWE-259 — Use of Hard-coded Password |
| Attack Vector | Network |
| Authentication Required | None |
| Attack Complexity | Low |
| Primary Impact | Full device compromise via hardcoded credential |
| Source | NVD / NIST |
Technical Details
Root Cause: CWE-259 Hardcoded Password
CWE-259 describes firmware or software where a password is compiled directly into the binary rather than being generated, configured, or randomly assigned at deployment time. Hardcoded passwords in firmware are a persistent vulnerability class because:
- The password is identical across all deployed units — one extracted password compromises every device running the same firmware version
- Firmware images are often publicly downloadable — vendors publish firmware for customer update purposes, making extraction trivial
- Static analysis tools readily extract strings — even without advanced reverse engineering, basic
stringsorbinwalkanalysis can reveal credentials
Extraction and Exploitation Path
Attacker downloads firmware image from vendor website (or intercepts update)
→ Analyzes firmware with binwalk / strings / Ghidra / IDA Pro
→ Extracts hardcoded password from binary, configuration file, or script
→ Authenticates to any affected device using extracted credential
→ Full administrative access granted
→ Configuration modification, data exfiltration, backdoor installation
Basic firmware extraction example:
# Download firmware image
wget https://vendor.example.com/firmware/device-v4.0.bin
# Extract and identify credential strings
binwalk -e device-v4.0.bin
strings device-v4.0.bin | grep -iE '(password|passwd|secret|admin|root|default)'
# Common results:
# admin:manufacturer_default_2024!
# root:SuperSecretFactoryPasswordThe CVSS score of 9.8 reflects:
- Attack Vector: Network — device accessible remotely
- Attack Complexity: Low — password extraction requires no specialized skill
- Authentication: None — the hardcoded credential bypasses authentication entirely
- All three impact dimensions: High (full device control)
Why Hardcoded Passwords Persist in Firmware
Despite being a well-documented vulnerability class since at least the 2000s, hardcoded passwords persist in embedded device firmware due to:
| Reason | Description |
|---|---|
| Manufacturing convenience | Default credentials simplify factory configuration and QA testing |
| Recovery mechanism | Manufacturers include "recovery passwords" for customer support use |
| Legacy code | Long firmware development cycles mean hardcoded credentials survive across generations |
| No secure boot process | Devices with no secure provisioning have no mechanism for unique per-device credentials |
| Developer oversight | Credentials left in from development/testing not removed before release |
Impact Assessment
| Impact Area | Description |
|---|---|
| Full Device Takeover | Administrative access allows complete reconfiguration of affected devices |
| Mass Exploitation | Single extracted password works against every device running the same firmware |
| Botnet Recruitment | Compromised devices are prime targets for IoT botnets (Mirai variants, etc.) |
| Credential Pivot | Device access may expose upstream network credentials, SNMP strings, or API keys |
| Firmware Implantation | Persistent backdoor installation survives factory reset if firmware is reflashed |
| Physical Infrastructure Risk | If OT/ICS devices, firmware access can affect physical processes |
Hardcoded default password vulnerabilities have powered some of the most damaging mass-exploitation events in recent history, including the Mirai botnet (2016), which leveraged default credentials across millions of IoT devices to launch record-breaking DDoS attacks exceeding 1 Tbps.
Affected Systems
The NVD description confirms this affects all devices running the vulnerable firmware version. Organizations should:
- Identify all devices from the affected vendor in their environment
- Check device firmware versions against the vendor security advisory
- Assume all units with the vulnerable firmware are compromised if exploitation cannot be ruled out
Contact the affected vendor's security team and monitor their official security advisory channel for:
- Precise model numbers and firmware version ranges
- Availability of patched firmware
- Vendor-recommended mitigations
Remediation
Immediate Actions
-
Apply firmware updates — Install patched firmware from the vendor that removes or replaces the hardcoded default password. Monitor the vendor's security advisory page for the specific update:
# Verify firmware version before and after update # Use vendor-specific CLI or web interface show version # or cat /etc/firmware_version -
Change default credentials immediately — Even on unpatched devices, access the management interface and change all default passwords to strong, unique values. While this does not fix the underlying hardcoded credential (which may still be accessible via firmware extraction), it reduces immediate exploitation risk.
-
Restrict management interface access — Firewall the device management interface to authorized management hosts only:
# Allow only management VLAN to reach device admin ports iptables -A INPUT -p tcp --dport 22 -s <mgmt-subnet> -j ACCEPT iptables -A INPUT -p tcp --dport 22 -j DROP iptables -A INPUT -p tcp --dport 80 -s <mgmt-subnet> -j ACCEPT iptables -A INPUT -p tcp --dport 80 -j DROP -
Scan for internet exposure — Use Shodan or Censys to identify whether affected devices are internet-accessible:
# Check Shodan for exposed device management interfaces shodan search "vendor:AffectedManufacturer port:80,22,443" --fields ip_str,port,org -
Monitor for unauthorized access — Review authentication logs on affected devices for access using the default credential string, which may indicate prior compromise.
-
Incident response — If exploitation cannot be ruled out, treat affected devices as compromised and:
- Isolate from the network
- Collect forensic artifacts (log files, network captures)
- Reimage with patched firmware from a trusted source
- Rotate all credentials the device had access to
Defense-in-Depth for Embedded Devices
Priority 1: Apply vendor firmware patch immediately upon availability
Priority 2: Change all default credentials to unique strong passwords
Priority 3: Network isolation — management interfaces must not be internet-accessible
Priority 4: Asset inventory — maintain a current list of all embedded devices and firmware versions
Priority 5: Network monitoring — alert on authentication attempts using known default credentials
Priority 6: Firmware signing verification — ensure only vendor-signed firmware is installable
Hardcoded Credentials in Historical Context
CWE-259 hardcoded password vulnerabilities represent one of the most consistently exploited vulnerability classes across embedded and IoT device history:
| Year | Notable Case | Impact |
|---|---|---|
| 2016 | Mirai botnet | Leveraged default credentials across millions of IoT devices for 1+ Tbps DDoS |
| 2018 | CVE-2018-15473 | OpenSSH username enumeration via hardcoded credential path |
| 2020 | SolarWinds | Hardcoded update credential solarwinds123 enabled supply chain attack |
| 2021 | Multiple SOHO routers | Hardcoded admin credentials in Netgear, TP-Link, and ASUS firmware |
| 2023 | Fortinet FortiOS | Hard-coded cryptographic key in FortiOS SSL-VPN |
| 2026 | CVE-2026-35075 | Hardcoded default firmware password — all affected devices at risk |
The OWASP IoT Top 10 consistently lists hardcoded credentials as the #1 or #2 vulnerability in IoT device security, and CISA's ICS security advisories frequently flag this issue in operational technology device firmware.
Key Takeaways
- CVE-2026-35075 is a CVSS 9.8 critical hardcoded default password vulnerability affecting all units running the vulnerable firmware version — no exploitation skill required
- The password is extractable from the publicly available firmware image using basic analysis tools, meaning mass exploitation is trivially achievable
- Every device running the vulnerable firmware is equally at risk — there is no per-device variation in the hardcoded credential
- Immediate mitigations: change default passwords, isolate management interfaces, and apply vendor firmware patches when available
- Contact the affected vendor directly and monitor their security advisory channel for patched firmware release dates