CVE-2026-24444
Description
SDMC NE6037 cable modem routers running firmware 7.1.6.0.25 and 7.1.6.1.9_B9 contain a hardcoded password vulnerability in the web management interface recovery endpoints (mgmt.php, npcmd.php) that allows unauthenticated attackers to gain root access by submitting the hardcoded credential to the recovery endpoint via HTTP. Attackers can leverage this hardcoded password to enable filtered SSH and Telnet services on the device, resulting in unauthenticated root-level remote access to the underlying system.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CVE-2026-24444 is a critical hardcoded password vulnerability in SDMC NE6037 cable modem routers running firmware 7.1.6.0.25/7.1.6.1.9_B9 that allows unauthenticated attackers to gain root access via the web management recovery endpoints mgmt.php and npcmd.php.
Vulnerability
CVE-2026-24444 is a hardcoded password vulnerability in the SDMC NE6037 cable modem router running firmware versions 7.1.6.0.25 and 7.1.6.1.9_B9 [1]. The flaw resides in the web management interface recovery endpoints mgmt.php and npcmd.php, which accept a hardcoded credential sent via HTTP POST. No authentication is required to reach these endpoints, and the device does not validate that the password is unique or has been changed from the default [1]. The affected product is described as a DOCSIS 3.1 cable modem/router with Wi-Fi 6 capabilities, as detailed on the official product page [2].
Exploitation
An unauthenticated attacker with network access to the router's web management interface can exploit this vulnerability by sending an HTTP request containing the hardcoded credential to either mgmt.php or npcmd.php [1]. The attacker does not need any prior authentication, user interaction, or special network position beyond being able to reach the device's management IP. Once the request is processed, the attacker can leverage the successful authentication to enable filtered SSH and Telnet services on the device, which are otherwise disabled [1]. This provides a direct path for the attacker to interact with the system remotely via command-line access.
Impact
Successful exploitation grants the attacker unauthenticated root-level remote access to the underlying operating system of the SDMC NE6037 router [1]. The attacker can then execute arbitrary commands with full root privileges, leading to complete compromise of the device. This results in loss of confidentiality (access to network traffic, credentials, internal data), integrity (ability to modify firmware, configuration, or install malicious software), and availability (potential to disrupt or disable the device's functions). The impact extends to any devices or networks behind the router, as the attacker can pivot from the compromised gateway.
Mitigation
As of the publication date (2026-05-28), no official firmware update from SDMC addressing CVE-2026-24444 has been disclosed in the available references [1]. Users are advised to restrict access to the web management interface by placing the device behind a firewall and disabling remote administration over the WAN side. If possible, change the default hardcoded password through supported configuration options; however, the reference indicates the password is hardcoded and may not be changeable through normal interfaces [1]. Affected firmware versions are 7.1.6.0.25 and 7.1.6.1.9_B9; newer firmware versions should be checked on the vendor's support site for any patched releases. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog as of this writing.
AI Insight generated on May 28, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Hardcoded password in the recovery endpoint allows unauthenticated attackers to bypass authentication and modify firewall rules."
Attack vector
An unauthenticated attacker sends an HTTP GET request to the recovery endpoint (`/cgi-bin/recovery.php`) with the hardcoded password `YzVlY2UxMDc4MmEzYjYzNDM3OTY5NzkyYWQ1YWM2MGEK` as a query parameter [ref_id=1]. If the password matches, the `$code` variable remains `"success"` and the attacker can trigger `exec()` calls that insert iptables/ip6tables rules to allow SSH and Telnet access from the LAN interface (lines 778-781) [ref_id=1]. The attacker can then connect via SSH or Telnet to gain unauthenticated root-level remote access to the device. No prior authentication or network position beyond LAN reachability is required.
Affected code
The vulnerable code resides in `/usr/www/php/mgmt.php` within the `handleConsoleRecovery` function (line 729). The function reads `username` and `password` from the HTTP query string via `utilsGetQueryString` (lines 737-738) and compares the password against the hardcoded value `YzVlY2UxMDc4MmEzYjYzNDM3OTY5NzkyYWQ1YWM2MGEK` [ref_id=1]. The endpoint is reachable through `/cgi-bin/recovery.php`, which is registered in `getCgiPublicUrls()` and mapped to `handleConsoleRecovery` via `DECL_BYPASS("recovery.php", "handleConsoleRecovery")` in `php/lib/handler.php`, meaning no authentication token is required [ref_id=1].
What the fix does
The advisory does not provide a patch or vendor fix [ref_id=1]. The remediation guidance is implicit: the hardcoded credential `YzVlY2UxMDc4MmEzYjYzNDM3OTY5NzkyYWQ1YWM2MGEK` must be removed from `mgmt.php`, and the recovery endpoint should require proper authentication rather than being registered as a public (no-token) URL via `getCgiPublicUrls()` [ref_id=1]. Additionally, the use of `exec()` to modify firewall rules based on unauthenticated input should be replaced with a properly authorized and restricted mechanism.
Preconditions
- networkThe attacker must have network access to the router's web management interface (typically LAN-side).
- configThe router must be running firmware version 7.1.6.0.25 or 7.1.6.1.9_B9.
- authNo authentication is required; the recovery endpoint is publicly accessible.
Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.