Description:
Both PAM configurations use pam_unix.so nullok
Impact:
This allows authentication of accounts with empty password fields. After appending a line like evil::0:0:evil:/root:/bin/sh to /etc/passwd , the attacker can su - evil
without any password and obtain a root shell.
The issue has been reported as CVE-2026-12504.
Mitigation:
Upgrade to firmware version 8.4.18.

