CVE-2026-24444 (CVSS 9.8) — SDMC NE6037 cable modem routers running firmware 7.1.6.0.25 and 7.1.6.1.9_B9 contain a hardcoded password vulnerability in the web management interface recovery endpoints (mgmt.php, npcmd.php) that al

A critical vulnerability has been published under CVE-2026-24444, affecting SDMC NE6037 cable modem routers running firmware versions 7.1.6.0.25 and 7.1.6.1.9_B9. The issue involves a hardcoded password in the web management interface recovery endpoints, specifically in mgmt.php and npcmd.php. With a CVSS score of 9.8, this is classified as critical severity, meaning an unauthenticated attacker could exploit the flaw remotely to gain full administrative control over affected devices.

This vulnerability primarily impacts telecommunications providers, internet service providers, and any organization that deploys SDMC NE6037 routers to customers or within their own infrastructure. Residential and small business users of these devices are also at risk. Sectors such as telecom, broadband, and managed network services should prioritize this issue, as compromised routers could lead to network breaches, data interception, or use in larger attacks.

Compliance teams should immediately verify whether any SDMC NE6037 devices are in use within their organization or customer base. If so, they must apply any available firmware patches from the vendor or isolate affected devices from critical networks until a fix is deployed. Additionally, teams should review incident response plans for potential exploitation and ensure that any regulatory reporting obligations under frameworks like NIS2 or GDPR are understood, as a breach could involve personal data or critical infrastructure.