Description
Use of default credentials vulnerability in Roche Diagnostics navify Digital Pathology (RabbitMQ Management interface modules) allows Default Usernames and Passwords. This issue affects navify Digital Pathology: from 2.0.0 before 2.4.1.
Published: 2026-06-02
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from hard‑coded default credentials in the RabbitMQ Management interface module of Roche Diagnostics navify Digital Pathology. Attackers who discover the exposed interface can use the default credentials, inferred from the description, to log in without any prior authorization, giving them full administrative control over the digital pathology environment. This allows configuration changes, data export, and other privileged actions. The weakness is cataloged as CWE‑1392, a credential management issue.

Affected Systems

Infected installations use Roche Diagnostics navify Digital Pathology versions 2.0.0 through 2.4.0 inclusive. The defect resides in the RabbitMQ Management interface modules, which are present by default in factory builds. Any system that has not applied the password change or disabled the guest account remains vulnerable.

Risk and Exploitability

The CVSS score of 8.8 indicates a high severity vulnerability. EPSS data is unavailable and the issue is not listed in the CISA KEV catalog. Exploitation is possible via direct remote access to the RabbitMQ Management interface over the network when the default credentials remain unchanged. Because the login values are widely known, only network visibility and misconfiguration are required to take advantage of the weakness, representing a significant risk for exposed or inadequately protected environments.

Generated by OpenCVE AI on June 2, 2026 at 16:06 UTC.

Remediation

Vendor Solution

Change the default password for the guest user from the factory settings to a secure, unique password.

OpenCVE Recommended Actions

  • Change the default guest account password from the factory settings to a secure, unique password.
  • Disable or remove the guest user account if it is not required for operation.
  • Restrict network access to the RabbitMQ Management interface to trusted internal hosts only.
  • Ensure the software is updated to version 2.4.1 or later, where the default credential issue has been addressed, or apply the configuration change if staying on an older version.

Generated by OpenCVE AI on June 2, 2026 at 16:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 03 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
First Time appeared Roche Diagnostics
Roche Diagnostics navify Digital Pathology
Vendors & Products Roche Diagnostics
Roche Diagnostics navify Digital Pathology

Tue, 02 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 02 Jun 2026 14:15:00 +0000

Type Values Removed Values Added
Description Use of default credentials vulnerability in Roche Diagnostics navify Digital Pathology (RabbitMQ Management interface modules) allows Default Usernames and Passwords. This issue affects navify Digital Pathology: from 2.0.0 before 2.4.1.
Title Vulnerability in navify® Digital Pathology
Weaknesses CWE-1392
References
Metrics cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:H/SC:L/SI:L/SA:L/S:N/AU:Y/R:U/V:D/RE:M/U:Green'}

Subscriptions

Roche Diagnostics Navify Digital Pathology
cve-icon MITRE

Status: PUBLISHED

Assigner: Roche

Published:

Updated: 2026-06-02T15:09:09.840Z

Reserved: 2026-05-28T13:34:24.678Z

Link: CVE-2026-9844

cve-icon Vulnrichment

Updated: 2026-06-02T15:08:50.715Z

cve-icon NVD

Status : Deferred

Published: 2026-06-02T14:17:14.930

Modified: 2026-06-02T14:50:37.260

Link: CVE-2026-9844

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-02T20:51:19Z

Weaknesses