Ivan Racic

#9185of 53,633
29.8Total CVSS
Vulnerabilities · 3
Critical
3
PT-2026-44402
9.8
2026-05-28
Sdmc · Ne6037 · CVE-2026-24444
**Name of the Vulnerable Software and Affected Versions** SDMC NE6037 version 7.1.6.0.25 SDMC NE6037 version 7.1.6.1.9 B9 **Description** The web management interface recovery endpoints "mgmt.php" and "npcmd.php" contain a hardcoded password. Unauthenticated attackers can gain root access by submitting these hardcoded credentials to the recovery endpoints via HTTP. This access allows attackers to enable filtered SSH and Telnet services, resulting in unauthenticated root-level remote access to the underlying system. **Recommendations** Update version 7.1.6.0.25 to a newer version that removes the hardcoded credentials. Update version 7.1.6.1.9 B9 to a newer version that removes the hardcoded credentials.
PT-2026-1952
10
2026-01-09
Ruckus · Ruckus Vriot Iot Controller · CVE-2025-69425
**Name of the Vulnerable Software and Affected Versions** Ruckus vRIoT IoT Controller versions prior to 3.0.0.0 (GA) **Description** The Ruckus vRIoT IoT Controller firmware exposes a command execution service on TCP port 2004 running with root privileges. Authentication to this service relies on a hardcoded Time-based One-Time Password (TOTP) secret and an embedded static token. An attacker who extracts these credentials from the appliance or a compromised device can generate valid authentication tokens and execute arbitrary OS commands with root privileges, resulting in complete system compromise. **Recommendations** Update to version 3.0.0.0 (GA) or later.
PT-2026-1953
10
2026-01-09
Ruckus · Ruckus Vriot Iot Controller · CVE-2025-69426
**Name of the Vulnerable Software and Affected Versions** Ruckus vRIoT IoT Controller versions prior to 3.0.0.0 **Description** The Ruckus vRIoT IoT Controller firmware contains hardcoded credentials for an operating system user account within an initialization script. The SSH service is network-accessible without IP-based restrictions. While SCP and pseudo-TTY allocation are disabled, an attacker can authenticate using the hardcoded credentials and establish SSH local port forwarding to access the Docker socket. By mounting the host filesystem via Docker, an attacker can escape the container and execute arbitrary OS commands as root on the underlying vRIoT controller, leading to complete system compromise. **Recommendations** Update to version 3.0.0.0 or later.