CVE-2025-14126 is a vulnerability identified in the TOZED ZLT M30S and ZLT M30S PRO devices, specifically in their web interface component. The flaw involves the presence of hard-coded credentials embedded within the device firmware, which can be exploited by an attacker who has access to the local network. This vulnerability does not require any authentication or user interaction to exploit, making it easier for an attacker to leverage once inside the network perimeter. The hard-coded credentials provide unauthorized access to the device’s web interface, potentially allowing full control over the device’s configuration and operations. The vulnerability affects firmware versions 1.47 and 3.09.06. The vendor was notified early but has not issued any response or patch, leaving the vulnerability unmitigated. The CVSS 4.0 base score of 8.7 indicates a high-severity issue, with attack vector local (AV:A), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and high impacts on confidentiality, integrity, and availability (C:H, I:H, A:H). Although no known exploits are currently reported in the wild, the public disclosure increases the likelihood of exploitation attempts. The vulnerability poses a significant risk to environments where these devices are deployed, especially in local network segments that are not adequately isolated or monitored.

For European organizations, this vulnerability presents a serious threat due to the potential for unauthorized access to critical network devices. The hard-coded credentials can allow attackers to bypass authentication controls, leading to full compromise of the affected devices. This can result in data breaches, manipulation of device configurations, disruption of network services, and potential pivoting to other internal systems. Organizations relying on TOZED ZLT M30S devices in operational technology (OT) environments, industrial control systems (ICS), or critical infrastructure sectors are particularly vulnerable. The inability of the vendor to provide patches increases the risk exposure and complicates remediation efforts. The local network access requirement means that attackers must first breach perimeter defenses or gain insider access, but once inside, the exploitation is straightforward and impactful. This vulnerability could facilitate espionage, sabotage, or ransomware attacks targeting European enterprises and public sector entities.

Since no official patches are available, European organizations should implement immediate compensating controls. These include strict network segmentation to isolate TOZED devices from general user networks and the internet, minimizing local network exposure. Deploy access control lists (ACLs) and firewall rules to restrict access to the devices’ management interfaces only to authorized personnel and systems. Implement network monitoring and intrusion detection systems (IDS) to detect anomalous access patterns or brute-force attempts targeting the devices. Change default network configurations to disable unused services and interfaces. If possible, replace affected devices with alternatives that do not contain hard-coded credentials. Conduct regular security audits and penetration tests focusing on local network vulnerabilities. Educate internal staff about the risks of insider threats and enforce strong physical security controls to prevent unauthorized local network access. Maintain an incident response plan tailored to potential device compromise scenarios.