Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:Y/R:U/V:D/RE:M/U:Green
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:Y/R:U/V:D/RE:M/U:Green
Lifecycle Timeline
1DescriptionCVE.org
Use of default credentials vulnerability in Roche Diagnostics navify Digital Pathology (RabbitMQ Management interface modules) allows Default Usernames and Passwords. This issue affects navify Digital Pathology: from 2.0.0 before 2.4.1.
AnalysisAI
Default credential exposure in Roche Diagnostics navify Digital Pathology (versions 2.0.0 through 2.4.0) lets remote unauthenticated attackers log into the embedded RabbitMQ Management interface using factory-shipped usernames and passwords. CVSS 4.0 rates the issue 8.8 with network attack vector and no privileges required, and no public exploit identified at time of analysis. Successful access exposes message-broker administration, enabling data interception, queue manipulation, and downstream tampering with pathology workflows.
Technical ContextAI
navify Digital Pathology is Roche's cloud/edge platform for whole-slide image management and AI-assisted diagnostic review. It bundles RabbitMQ as the asynchronous messaging backbone between ingestion, analysis, and reporting microservices, and exposes the RabbitMQ Management plugin (HTTP API and web UI, typically on port 15672) for operational control. CWE-1392 (Use of Default Credentials) describes shipping products with predictable built-in accounts that operators are not forced to change at deployment; in RabbitMQ's case the canonical default is the 'guest/guest' administrator, intended for loopback-only use but frequently reachable on bound interfaces in containerized or appliance deployments.
RemediationAI
Upgrade navify Digital Pathology to version 2.4.1 or later, which Roche identifies as the fixed release line; consult the Roche product security advisory at https://diagnostics.roche.com/global/en/legal/product-security-advisory.html for the per-tenant patch procedure. As compensating controls until the upgrade is rolled out, rotate the RabbitMQ management credentials to strong unique values and disable the default 'guest' account (side effect: any internal automation still hardcoded to guest/guest will break and must be re-credentialed), restrict the RabbitMQ management plugin to listen only on loopback or a management VLAN by setting management.tcp.ip in rabbitmq.conf, and block ingress to ports 15672/15671 (and 5672/5671 if AMQP is similarly exposed) at the network boundary so the broker is reachable only from trusted application tiers. Audit RabbitMQ access logs for prior logins by default accounts to confirm whether exploitation has already occurred.
Same weakness CWE-1392 – Use of Default Credentials
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33923
GHSA-p3m3-2jc5-vvp6