CVE-2026-27751: Hardcoded Default Credentials in SODOLA SL902-SWTGW124AS

The SODOLA SL902-SWTGW124AS is a managed 2.5G network switch designed for SOHO and enthusiast home lab environments. It features a web-based management interface for configuring VLANs, link aggregation, and QoS settings. Research by Kazuma Matsumoto revealed that firmware versions through 200.1.20 are vulnerable to CWE-1392: Use of Default Credentials.

The vulnerability manifests in the authentication mechanism of the web management console. The device is pre-configured with a static administrative account (admin) and a static password (admin). Unlike secure-by-design implementations that prompt the user to set a unique password upon the first login or initialization, the SODOLA firmware permits the continued use of these default credentials indefinitely. Consequently, any device accessible over the network—whether via a local area network or exposed to the public internet—is susceptible to immediate takeover by an attacker who simply attempts these well-known credentials.

The root cause of CVE-2026-27751 is a failure in the device's identity and access management lifecycle. Specifically, the firmware violates the principle of secure defaults. In a secure implementation, default credentials should either be unique per device (printed on a label) or the system should enforce a password change workflow before granting access to management functions.

In the SODOLA SL902-SWTGW124AS, the authentication logic relies on a static lookup against a hardcoded string or a default configuration file entry. When an HTTP POST request is sent to the login CGI endpoint (typically /login.cgi or similar), the firmware compares the provided username and password parameters against the factory defaults. If they match admin / admin, a session token is issued with root-level privileges. The absence of a "dirty bit" or flag checking if the password has been modified from the factory state allows this vulnerability to persist throughout the device's operational life until manual intervention occurs.

While the specific proprietary firmware source code is not public, the vulnerability stems from a static authentication flow common in embedded devices. The logic can be conceptually represented as follows:

Vulnerable Logic Flow:

# Pseudo-code representation of the flaw
def handle_login(request):
    user = request.post.get('username')
    pwd = request.post.get('password')
    
    # VULNERABILITY: Credentials are static and change is not enforced
    stored_user = get_config('admin_user') # Returns 'admin'
    stored_pass = get_config('admin_pass') # Returns 'admin'
    
    if user == stored_user and pwd == stored_pass:
        session = create_session(user, role='ADMIN')
        return http_redirect('/index.html', session)
    else:
        return http_error('Invalid Credentials')

In a secure implementation, the logic would include a check for the default state:

Secure Logic Flow:

def handle_login(request):
    # ... (credential check)
    
    if user == stored_user and pwd == stored_pass:
        # FIX: Check if password is still the factory default
        if is_default_password(stored_pass):
             return http_redirect('/force_password_change.html')
        
        session = create_session(user, role='ADMIN')
        return http_redirect('/index.html', session)

The lack of this conditional check in the SODOLA firmware allows the default state to remain valid indefinitely.

Exploiting this vulnerability requires no specialized tooling or exploit code. It relies entirely on knowledge of the default configuration. The attack vector is strictly network-based (AV:N) and requires no prior privileges (PR:N).

1. Reconnaissance: The attacker scans target networks for open HTTP (80) or HTTPS (443) ports. Fingerprinting identifying the device as a SODOLA switch can be performed by analyzing the HTTP Server header, the page title in the HTML response, or specific MAC address OUIs if the attacker is on the local network.
2. Access: The attacker navigates to the web interface URL (e.g., http://<TARGET_IP>/).
3. Authentication: The attacker enters admin in the username field and admin in the password field.
4. Execution: Upon successful login, the attacker gains full administrative control.

Since the CVSS score is 9.8, this is considered a trivial exploit with catastrophic impact for the device's security posture.

The impact of a compromised network switch is severe, particularly given the privileges associated with the admin account.

• Confidentiality (High): Attackers can view the entire network configuration, including VLAN tags, MAC address tables, and potentially sensitive logs. If the switch supports port mirroring (SPAN), an attacker can mirror traffic from a target port (e.g., a server or gateway uplink) to a port they control, allowing for packet capture and analysis of unencrypted traffic traversing the switch.
• Integrity (High): Attackers can modify VLAN configurations to bypass segmentation, change QoS rules to degrade performance, or inject malicious firmware if the update mechanism is accessible. They could also re-route traffic to malicious gateways.
• Availability (High): Attackers can administratively shut down ports, disable the switch interface entirely, or reboot the device, causing a Denial of Service (DoS) for all connected devices.

CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (Score: 9.8). The low attack complexity and lack of required authentication make this a critical risk.

Because the vulnerability involves valid (albeit default) credentials rather than a memory corruption bug, remediation focuses on configuration management.

Primary Remediation: Administrators must manually log in to the SODOLA SL902-SWTGW124AS management interface and change the password for the admin account immediately. The new password should be long, complex, and unique.

Network Defense:

• Segmentation: Ensure the management interface (IP address) of the switch is on a dedicated Management VLAN that is not routable from the public internet or general user VLANs.
• Access Control: If the switch supports Access Control Lists (ACLs) for the management interface, restrict access to specific administrator IP addresses.
• Monitoring: Monitor network logs for successful logins from unexpected IP addresses during non-business hours.