CVE-2026-35905: T3 Technology CPE Hardcoded Root Credentials Advisory

Vulnerability Overview CVE-2026-35905: Hardcoded Root Credentials (superadmin) T3 Technology CPE devices ship with hardcoded credentials for a account, which provides complete root-level access. These credentials are identical across all affected devices and cannot be changed by end-users, allowing any attacker with network access to fully compromise the device through its management interface. Scope of Impact Confirmed (Lab Verified) Suspected (Same Vendor SDK/Codebase) Scope Notes: Only the firmware versions listed above have been lab-verified. Earlier or later versions may also be affected. The shared vendor SDK across product lines indicates that the vulnerability is systemic. Remediation The vendor must remove hardcoded credentials and implement unique per-device passwords or enforce password changes on first login. Users should restrict management interface access through network-level controls (VLAN isolation, firewall rules). Vulnerability Details Type: Hardcoded Credentials (CWE-798) Component: System Firmware ( , ) Authentication Required: None (The credentials themselves constitute the vulnerability) Impact: Full root access to the device The firmware contains a built-in account with a static password shared across all units. These credentials provide root-level access via Telnet and the Web management interface. Hardcoded Credentials Telnet Access Web GUI Access Attack Scenario 1. The attacker enables Telnet via CVE-2026-35904 (unauthenticated CGI call). 2. The attacker connects to Telnet on port 23. 3. The attacker authenticates using the hardcoded credentials. 4. The attacker now has full root shell access to the device. Timeline References https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-35905 https://t3techgroup.com/ https://www.ncsa.or.th/

Goal Reached Thanks to every supporter — we hit 100%!

CVE-2026-35905: T3 Technology CPE Hardcoded Root Credentials Advisory

More from this source