Skip to main content

iRM-IEI Remote Management CVE-2026-11849

| EUVDEUVD-2026-36410 CRITICAL
Use of Hard-coded Credentials (CWE-798)
2026-06-12 twcert GHSA-ccm4-vchx-9cmq
9.3
CVSS 4.0 · Vendor: twcert
Share

Severity by source

Vendor (twcert) PRIMARY
9.3 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
9.8 CRITICAL

Hardcoded credentials grant remote unauthenticated admin DB access (AV:N, AC:L, PR:N, UI:N) with full C/I/A impact on the same system (S:U).

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (twcert).

CVSS VectorVendor: twcert

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Patch available
Jun 12, 2026 - 13:01 EUVD
Analysis Generated
Jun 12, 2026 - 11:30 vuln.today

DescriptionCVE.org

The iRM-IEI Remote Management developed by IEI Integration Corp has a Hardcoded Credentials vulnerability, allowing unauthenticated remote attackers to exploit hard-coded credentials to gain administrative privileges on the database.

AnalysisAI

Hardcoded database credentials in IEI Integration Corp's iRM-IEI Remote Management (iRM-TSI410X platform) allow remote unauthenticated attackers to authenticate to the backend database with administrative privileges. No public exploit identified at time of analysis, but the CVSS 4.0 base score of 9.3 reflects trivial network-accessible exploitation with full confidentiality, integrity, and availability impact. The flaw is reported by TWCERT and tagged as an Authentication Bypass.

Technical ContextAI

iRM-IEI Remote Management is a remote device management product from IEI Integration Corp, with the iRM-TSI410X identified as the affected platform (cpe:2.3:a:iei_integration_corp:irm-tsi410x). The root cause is CWE-798 (Use of Hard-coded Credentials): static credentials embedded in firmware or application code that grant administrative access to the backend database. Hardcoded credentials cannot be changed by operators without vendor intervention and are typically discoverable through firmware extraction, binary reverse engineering, or reuse across deployed units, making every device sharing the same image equally vulnerable.

RemediationAI

No vendor-released patch identified at time of analysis from the supplied data; consult the TWCERT advisories (https://www.twcert.org.tw/en/cp-139-10972-32032-2.html and https://www.twcert.org.tw/tw/cp-132-10971-ac61f-1.html) for the authoritative fixed firmware version from IEI Integration Corp and apply it as soon as it is published. Until a fix is deployed, restrict network reachability of the iRM-TSI410X management and database services to a dedicated management VLAN or jump host (this will break any remote workflows that currently rely on direct internet access), block the database listener at the perimeter firewall, and monitor authentication logs for use of default or vendor accounts. Because the credentials are hardcoded, rotating local passwords will not remediate the issue - network isolation is the only meaningful compensating control until firmware that removes the embedded secret is installed.

Share

CVE-2026-11849 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy