Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
Tyler Identity Local (TID-L) uses documented, default administrative credentials. Users are not required to change the credentials before deployment. TID-L has not been distributed since December 2020, and has not been supported since 2021.
AnalysisAI
Use of default administrative credentials in Tyler Identity Local (TID-L) allows remote unauthenticated attackers to gain full administrative access to affected deployments. The credentials are publicly documented and users are not forced to change them at install time, and because the product was discontinued in December 2020 and unsupported since 2021, no vendor patch is available. CVSS 4.0 rates this 9.3 (Critical); no public exploit identified at time of analysis and the issue is not in CISA KEV.
Technical ContextAI
Tyler Identity Local (TID-L) is an on-premises identity/authentication component from Tyler Technologies historically used by state and local government customers. The flaw maps to CWE-1392 (Use of Default Credentials), a configuration weakness in which the vendor ships fixed, publicly documented administrator credentials and does not enforce a change-on-first-use workflow. Per the CPE string cpe:2.3:a:tyler_technologies:tid-l:*:*:*:*:*:*:*:*, every version of the TID-L application is in scope. The reporting source (cisa-cg, the CISA Coordinated Disclosure / Cybersecurity Advisory program) and the referenced CSAF advisory (va-26-138-01) indicate this was disclosed through coordinated vulnerability disclosure rather than independent research.
RemediationAI
No vendor-released patch identified at time of analysis - TID-L is end-of-life and end-of-support, so the only durable remediation is to decommission TID-L and migrate to a supported Tyler identity offering or another modern IdP, coordinating with Tyler Technologies per the CSAF advisory at https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-26-138-01.json. As immediate compensating controls until migration completes, change the documented default administrative credentials to a long random secret (recognizing this is unsupported and may break vendor-prescribed flows), place the TID-L management interface behind a VPN or restrict it via firewall ACL to a small admin jump-host subnet so it is not reachable from the internet or general user network (trade-off: legitimate remote admin workflows must move through the bastion), and enable network-layer logging on access to TID-L endpoints to detect credential-use attempts. Audit downstream applications that trust TID-L for authentication and prepare to revoke that trust during cutover to limit blast radius if the credential is used before decommissioning.
Same weakness CWE-1392 – Use of Default Credentials
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30937
GHSA-fmqc-2w48-qp8r