Predictable default Wi-Fi Password in Access Point functionality in EZCast Pro II Dongle allows attackers in Wi-Fi range to gain access to the dongle by calculating the default password from observable device identifiers
Peripheral Devices
NTCF:
NTCF-2025-98983
CVE:
CVE-2025-13955
Product:
EZCast Pro II
Vendor:
NimbleTech
Criticality:
high
Status:
pending
Discovered:
2025-07-14
Detail:
Public
Vulnerable version:
all, tested: 1.17478.146
Description
Multiple vulnerabilities have been identified in the EZCast Pro II Dongle from NimbleTech. A comprehensive list of all related vulnerabilities for this device can be found on the NTC vulnerability hub.
Mitigation
As the vendor has not yet been able to provide patches, we strongly recommend following the corresponding warning issued by the National Cyber Security Centre NCSC. Until a firmware patch is made available, users are advised to take the following immediate actions:
- Disconnect the dongle from the local network.
- Limit usage strictly to access point functionality to minimize the attack surface.
- Change the default password.
Disclosure Policy
In accordance with the NTC Vulnerability Disclosure Policy, no technical details about this vulnerability will be publicly disclosed. Further details may be provided on a case by case basis. Please use the contact form and provide an explanation for your request.
Summary Report
The NTC will shortly publish a summary report on the security of peripheral devices.
References
Timeline
2025-07-14: initial discovery
2025-07-16: first contact to vendor
2025-07-25: private disclosure to vendor
2025-09-02: no response from vendor despite multiple follow-up requests for status updates
2025-09-02: escalation to the NCSC
2025-12-10: public disclosure
2025-12-10: warning issued by the NCSC