Which versions of SDMC NE6037 are affected by EUVD-2026-32928?

SDMC NE6037 cable modem routers (firmware versions 7.1.6.0.25 and 7.1.6.1.9_B9) are vulnerable to unauthenticated remote root compromise through hardcoded credentials in recovery endpoints, allowing…

Is there a public PoC exploit available for EUVD-2026-32928?

Yes, a public proof-of-concept exploit is available for EUVD-2026-32928. Prioritise patching immediately.

SDMC NE6037 EUVD-2026-32928

Q: What is the CVSS score of EUVD-2026-32928?

EUVD-2026-32928 has a CVSS 4.0 base score of 9.3 (Critical). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X.

| CVE-2026-24444 CRITICAL

Use of Hard-coded Credentials (CWE-798)

2026-05-28 VulnCheck

GHSA-cg6m-frf7-6623

PHP Authentication Bypass

9.3

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Re-analysis Queued

May 28, 2026 - 17:22 vuln.today

cvss_changed

CVSS changed

May 28, 2026 - 17:22 NVD

9.8 (CRITICAL) 9.3 (CRITICAL)

Analysis Generated

May 28, 2026 - 17:21 vuln.today

DescriptionNVD

SDMC NE6037 cable modem routers running firmware 7.1.6.0.25 and 7.1.6.1.9_B9 contain a hardcoded password vulnerability in the web management interface recovery endpoints (mgmt.php, npcmd.php) that allows unauthenticated attackers to gain root access by submitting the hardcoded credential to the recovery endpoint via HTTP. Attackers can leverage this hardcoded password to enable filtered SSH and Telnet services on the device, resulting in unauthenticated root-level remote access to the underlying system.

AnalysisAI

Unauthenticated remote root access on SDMC NE6037 cable modem routers running firmware 7.1.6.0.25 and 7.1.6.1.9_B9 is achievable by submitting a hardcoded credential to recovery endpoints (mgmt.php, npcmd.php) in the web management interface. Attackers can then enable filtered SSH/Telnet services to obtain persistent root-level shell access. …

RemediationAI

Within 24 hours: Scan all networks to identify SDMC NE6037 devices running firmware 7.1.6.0.25 or 7.1.6.1.9_B9; document inventory and network placement. Within 7 days: Restrict access to mgmt.php and npcmd.php endpoints via firewall rules or WAF, disable HTTP/HTTPS management interface where operationally feasible, or limit administrative access to hardened bastion hosts only; implement network segmentation isolating affected devices from critical infrastructure and customer networks. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

EUVD-2026-32928 vulnerability details – vuln.today

Back

SDMC NE6037 EUVD-2026-32928

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Analysis

Full analysis requires sign-in

Share

SDMC NE6037 EUVD-2026-32928

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code