An unauthenticated remote attacker can recover a default

CVE-2026-35075 is a hard-coded/default credential problem in MBS Single-A V1_0_0_0 firmware. Publicly available MBS gateway documentation already shows a default web-management login of gw / GATEWAY, and the CVE description says an unauthenticated attacker can recover the credential from a firmware image and then obtain full access to affected devices. That makes the exploit path essentially: get firmware, extract credential, reach the management interface, log in, own the gateway.

The vendor's 9.8/CRITICAL rating is technically understandable, but too generous for enterprise prioritization. The biggest real-world friction is *reachability*: these are building-automation/OT gateways that usually live on internal management segments or control networks, not broadly exposed internet services. Once an attacker can reach one, compromise is easy and impact is high, but the exposed population is narrower than generic edge software.

Why this verdict

• Downgrade for reachability: these are building-automation gateways, which implies *internal/OT placement* more often than internet-edge exposure.
• Still HIGH because compromise is easy once reachable: the attack path is low-complexity offline extraction plus ordinary authentication, not memory corruption or fragile RCE.
• Amplifier: protocol-boundary blast radius: compromising a gateway that bridges BACnet/Modbus/LON-style environments can let one device influence multiple downstream systems.

Why not higher?

I am not calling this CRITICAL because there is no public evidence of active exploitation, no KEV listing, and the reachable population is likely much smaller than a mainstream externally exposed appliance. The attack also depends on a management-plane path to the gateway, which is a meaningful deployment-specific choke point.

Why not lower?

I am not pushing this to MEDIUM because the exploit does not require prior authentication, user interaction, or advanced tradecraft once network reachability exists. Full administrative access on an OT gateway is too much blast radius to relegate to backlog hygiene.

1. Block direct management-plane access — Put the web interface behind VPN, jump host, or strict ACLs and remove any flat enterprise-to-OT reachability. For a HIGH verdict, deploy this within 30 days because reachability is the main factor keeping this below CRITICAL.
2. Restrict gateway access to named admin stations — Allow only specific management hosts and admin subnets to reach the gateway's web interface and diagnostic services. This cuts off opportunistic lateral movement and should be in place within 30 days.
3. Rotate and validate all gateway credentials — If the exposed credential is operator-changeable, enforce unique non-default credentials and verify they actually took effect on every device. Do this within 30 days, and treat any device still accepting defaults as already exposed.
4. Monitor for config, backup, and firmware actions — Alert on gateway login success, backup export, restore import, firmware upload, and protocol-driver changes. These are the attacker actions that matter after foothold, and logging coverage should be improved within 30 days.
5. Segment protocol-facing networks from enterprise IT — Even if a gateway falls, downstream BACnet/Modbus/LON networks should not provide easy pivot paths back into broader enterprise zones. Tighten routing and firewall policy within 30 days to contain blast radius.

Run this on an auditor workstation or engineering laptop against a downloaded firmware image or backup file, not on the gateway itself. Invoke it as python3 verify_cve_2026_35075.py /path/to/firmware.bin; it needs only local read access to the file and no elevated privileges.

#!/usr/bin/env python3
# verify_cve_2026_35075.py
# Offline triage for CVE-2026-35075 in MBS Single-A firmware/backups.
# Usage: python3 verify_cve_2026_35075.py /path/to/file
# Output: VULNERABLE / PATCHED / UNKNOWN
# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN, 3=usage/error

import os
import re
import sys
import subprocess
from pathlib import Path

VULN_VERSION_PATTERNS = [
    rb'V1[_\.\-]?0[_\.\-]?0[_\.\-]?0',
    rb'1[_\.\-]?0[_\.\-]?0[_\.\-]?0'
]
PRODUCT_PATTERNS = [
    rb'MBS',
    rb'Single-A',
    rb'Universal Gateway',
    rb'Gateway Konfigurationsseite',
    rb'169\.254\.0\.1'
]
CRED_PATTERNS = [
    rb'gw',
    rb'GATEWAY'
]


def die(msg, code=3):
    print(f'UNKNOWN - {msg}')
    sys.exit(code)


def read_strings(path):
    try:
        # Try native strings first for better coverage on binaries.
        out = subprocess.run(['strings', '-a', str(path)], capture_output=True, text=True, timeout=120)
        data = out.stdout.encode(errors='ignore')
        if data:
            return data
    except Exception:
        pass

    # Fallback: raw bytes, then extract printable runs.
    raw = Path(path).read_bytes()
    printable = re.findall(rb'[\x20-\x7e]{4,}', raw)
    return b'\n'.join(printable)


def has_any(blob, patterns):
    return any(re.search(p, blob, re.IGNORECASE) for p in patterns)


def find_version_tokens(blob):
    hits = set()
    for m in re.finditer(rb'([Vv]?\d[_\.\-]\d[_\.\-]\d[_\.\-]\d)', blob):
        hits.add(m.group(1).decode(errors='ignore'))
    return sorted(hits)


def main():
    if len(sys.argv) != 2:
        die('usage: python3 verify_cve_2026_35075.py /path/to/firmware.bin')

    path = Path(sys.argv[1])
    if not path.exists() or not path.is_file():
        die('input file not found')

    try:
        blob = read_strings(path)
    except Exception as e:
        die(f'failed to read/analyze file: {e}')

    product_hit = has_any(blob, PRODUCT_PATTERNS)
    vuln_ver_hit = has_any(blob, VULN_VERSION_PATTERNS)
    gw_hit = re.search(rb'\bgw\b', blob, re.IGNORECASE) is not None
    pw_hit = re.search(rb'\bGATEWAY\b', blob, re.IGNORECASE) is not None
    versions = find_version_tokens(blob)

    # Strong vulnerable signal: product markers + affected version + both default credential tokens.
    if product_hit and vuln_ver_hit and gw_hit and pw_hit:
        print('VULNERABLE')
        sys.exit(1)

    # We only call PATCHED when we see product markers, see a version token, do NOT see the known affected version,
    # and do NOT see both default-credential indicators.
    if product_hit and versions and not vuln_ver_hit and not (gw_hit and pw_hit):
        print('PATCHED')
        sys.exit(0)

    # If it looks like an MBS gateway artifact but the evidence is incomplete, stay conservative.
    if product_hit:
        summary = ', '.join(versions[:5]) if versions else 'no version token found'
        print(f'UNKNOWN - MBS artifact detected; version evidence: {summary}; affected-version/default-credential match incomplete')
        sys.exit(2)

    print('UNKNOWN - no strong MBS Single-A firmware indicators found in the supplied file')
    sys.exit(2)


if __name__ == '__main__':
    main()

Sources

1. MBS UGW manual PDF showing default IP and default web credentials
2. MBS A-Series product page for Single-A gateway family
3. MBS support overview of A-Series / Single-A gateway role
4. MBS standard gateway page describing integrated web interface
5. CISA Known Exploited Vulnerabilities catalog
6. FIRST EPSS API documentation
7. Public CVE aggregator entry for CVE-2026-35075 / MBS Single-A V1_0_0_0