DIBT-CVE 20260526-0003 PAM Passwordless uid=0 Authentication (HIGH)

  • Classification: CWE-287 — Improper Authentication
  • Severity: High

Description:

Both PAM configurations use pam_unix.so nullok

Impact:

This allows authentication of accounts with empty password fields. After appending a line like evil::0:0:evil:/root:/bin/sh to /etc/passwd , the attacker can su - evil
without any password and obtain a root shell.

The issue has been reported as CVE-2026-12504.

Mitigation:

Upgrade to firmware version 8.4.18.