Skip to main content

CashDro 3 EUVDEUVD-2026-28547

| CVE-2026-8076 CRITICAL
Use of Weak Credentials (CWE-1391)
2026-05-08 INCIBE GHSA-9x7x-hw35-pfrh
9.3
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
9.3 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Analysis Generated
May 08, 2026 - 12:45 vuln.today
CVSS changed
May 08, 2026 - 12:22 NVD
9.3 (CRITICAL)
CVE Published
May 08, 2026 - 11:55 nvd
CRITICAL 9.3

DescriptionCVE.org

Weak credentials in the CashDro 3 web administration panel, version 24.01.00.26, where the platform allows the use of numeric PINs for user authentication. The system supports the use of PIN-based credentials, maintaining compatibility with POS software integrations deployed since 2012. This could allow an attacker to easily perform a brute-force attack against a user and gain access by trying different PINs without the account being locked. Successful exploitation of this vulnerability could result in unauthorized access to confidential configuration settings, compromising the security of the system.

AnalysisAI

Brute-force authentication bypass in CashDro 3 web administration panel 24.01.00.26 enables remote unauthenticated attackers to gain full administrative access. The system accepts numeric PINs without account lockout mechanisms, a legacy design from 2012 POS integrations. Successful exploitation grants access to confidential configuration settings with high impact to confidentiality and integrity (CVSS 9.3). No public exploit identified at time of analysis, though exploitation is trivial given the vulnerability class. Patch available per vendor advisory from INCIBE.

Technical ContextAI

CashDro 3 is a cash management system with a web-based administration panel (CPE: cpe:2.3:a:cashdro:cashdro_3_administration_panel). The vulnerability stems from CWE-1391 (Use of Weak Credentials), where the authentication mechanism accepts numeric PINs without implementing rate limiting, account lockout, or CAPTCHA protections. This design choice traces to backwards compatibility requirements with point-of-sale (POS) software integrations deployed since 2012. The CVSS 4.0 vector (AV:N/AC:L/PR:N/UI:N) indicates a remotely exploitable flaw requiring no prerequisites - attackers can directly enumerate PINs against the web interface. Numeric-only PINs drastically reduce the keyspace compared to alphanumeric passwords (10^n vs 62^n possibilities), making brute-force attacks computationally trivial even for longer PIN lengths. The absence of lockout controls means attackers can iterate through the entire PIN space without detection or interruption.

RemediationAI

Vendor-released patch available per INCIBE-CERT advisory at https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-cashdro-3 - consult this resource for exact fix version and upgrade instructions. Primary mitigation: apply vendor patch immediately to affected CashDro 3 administration panels. Until patching is complete, implement network-level compensating controls: restrict web panel access to trusted IP ranges only via firewall rules (blocks remote exploitation but impacts legitimate remote administration), deploy a reverse proxy with rate limiting (10 requests/minute per source IP recommended, may cause false positives during legitimate use), and enable logging with real-time alerting on failed authentication attempts (three failures in 60 seconds should trigger investigation). Change all existing PINs to maximum supported length and document changes for POS integration teams. If POS compatibility allows, migrate to alphanumeric password authentication or certificate-based authentication. Monitor vendor communications for guidance on POS integration impacts, as authentication changes may require updates to integrated systems deployed since 2012. Do not expose the administration panel to public internet - use VPN access for remote administration with multi-factor authentication at the VPN layer.

Share

EUVD-2026-28547 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy