CVE-2026-23647

Glory RBG-100 recycler systems using the ISPK-08 software component contain hard-coded operating system credentials that allow remote authentication to the underlying Linux system. Multiple local user accounts, including accounts with administrative privileges, were found to have fixed, embedded passwords. An attacker with network access to exposed services such as SSH may authenticate using these credentials and gain unauthorized access to the system. Successful exploitation allows remote access with elevated privileges and may result in full system compromise.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://www.glory-global.com/
https://www.vulncheck.com/advisories/glory-rbg-100-recycler-system-hard-coded-os-credentials

Configurations

No configuration.

History

18 Feb 2026, 17:52

Type	Values Removed	Values Added
Summary		(es) Los sistemas recicladores Glory RBG-100 que utilizan el componente de software ISPK-08 contienen credenciales de sistema operativo codificadas de forma rígida que permiten la autenticación remota al sistema Linux subyacente. Se encontró que múltiples cuentas de usuario locales, incluyendo cuentas con privilegios administrativos, tenían contraseñas fijas e incrustadas. Un atacante con acceso de red a servicios expuestos como SSH puede autenticarse usando estas credenciales y obtener acceso no autorizado al sistema. La explotación exitosa permite el acceso remoto con privilegios elevados y puede resultar en un compromiso total del sistema.

17 Feb 2026, 20:22

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 9.8

17 Feb 2026, 17:21

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-02-17 17:21

Updated : 2026-02-18 17:52

NVD link : CVE-2026-23647

Mitre link : CVE-2026-23647

CVE.ORG link : CVE-2026-23647

JSON object : View

Products Affected

No product.

CWE

CWE-798

Use of Hard-coded Credentials

{"id": "CVE-2026-23647", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "disclosure@vulncheck.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "disclosure@vulncheck.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 9.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-02-17T17:21:05.040", "references": [{"url": "https://www.glory-global.com/", "source": "disclosure@vulncheck.com"}, {"url": "https://www.vulncheck.com/advisories/glory-rbg-100-recycler-system-hard-coded-os-credentials", "source": "disclosure@vulncheck.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "disclosure@vulncheck.com", "description": [{"lang": "en", "value": "CWE-798"}]}], "descriptions": [{"lang": "en", "value": "Glory RBG-100 recycler systems using the ISPK-08 software component contain hard-coded operating system credentials that allow remote authentication to the underlying Linux system. Multiple local user accounts, including accounts with administrative privileges, were found to have fixed, embedded passwords. An attacker with network access to exposed services such as SSH may authenticate using these credentials and gain unauthorized access to the system. Successful exploitation allows remote access with elevated privileges and may result in full system compromise."}, {"lang": "es", "value": "Los sistemas recicladores Glory RBG-100 que utilizan el componente de software ISPK-08 contienen credenciales de sistema operativo codificadas de forma r\u00edgida que permiten la autenticaci\u00f3n remota al sistema Linux subyacente. Se encontr\u00f3 que m\u00faltiples cuentas de usuario locales, incluyendo cuentas con privilegios administrativos, ten\u00edan contrase\u00f1as fijas e incrustadas. Un atacante con acceso de red a servicios expuestos como SSH puede autenticarse usando estas credenciales y obtener acceso no autorizado al sistema. La explotaci\u00f3n exitosa permite el acceso remoto con privilegios elevados y puede resultar en un compromiso total del sistema."}], "lastModified": "2026-02-18T17:52:22.253", "sourceIdentifier": "disclosure@vulncheck.com"}