FKIE_CVE-2026-26341

Vulnerability from fkie_nvd - Published: 2026-02-24 20:27 - Updated: 2026-02-26 17:31
Severity ?
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
Tattile Smart+, Vega, and Basic device families firmware versions 1.181.5 and prior ship with default credentials that are not forced to be changed during installation or commissioning. An attacker who can reach the management interface can authenticate using the default credentials and gain administrative access, enabling unauthorized access to device configuration and data.
References
disclosure@vulncheck.comhttps://www.tattile.com/Product
disclosure@vulncheck.comhttps://www.vulncheck.com/advisories/tattile-smart-vega-basic-default-credentialsThird Party Advisory, VDB Entry
disclosure@vulncheck.comhttps://www.zeroscience.mk/en/vulnerabilities/ZSL-2026-5977.phpThird Party Advisory, Exploit
Impacted products
Vendor Product Version
tattile smart\+_firmware *
tattile smart\+ -
tattile tolling\+_firmware *
tattile tolling\+ -
tattile smart\+_speed_firmware *
tattile smart\+_speed -
tattile smart\+_traffic_light_firmware *
tattile smart\+_traffic_light -
tattile axle_counter_firmware *
tattile axle_counter -
tattile vega53_firmware *
tattile vega53 -
tattile vega33_firmware *
tattile vega33 -
tattile vega11_firmware *
tattile vega11 -
tattile basic_mk2_firmware *
tattile basic_mk2 -
tattile anpr_mobile_firmware *
tattile anpr_mobile -
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:tattile:smart\\+_firmware:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "75DF648A-23A7-4CD7-A7AA-EC4E5041C11A",
              "versionEndIncluding": "1.181.5",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:tattile:smart\\+:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "B19D09F0-9D90-4D42-8866-351C464B45BC",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:tattile:tolling\\+_firmware:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "7CC79296-730F-40BF-A4CC-CB711452BFCF",
              "versionEndIncluding": "1.181.5",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:tattile:tolling\\+:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "7085AB6F-B3A7-48B3-996A-DF842B2D7217",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:tattile:smart\\+_speed_firmware:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "6FCA661E-7976-4F6A-A79E-FFC3355C4A90",
              "versionEndIncluding": "1.181.5",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:tattile:smart\\+_speed:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "F3DE404C-063D-4775-9C8B-972D5C34B128",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:tattile:smart\\+_traffic_light_firmware:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "83B0F41B-E7F4-4D72-B041-A27AC19EF8BA",
              "versionEndIncluding": "1.181.5",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:tattile:smart\\+_traffic_light:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "9648971C-A3ED-4E3C-AC58-EC8E24C1BACD",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:tattile:axle_counter_firmware:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "A0360803-0FF4-46FB-913D-FD0724C74139",
              "versionEndIncluding": "1.181.5",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:tattile:axle_counter:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "48535F53-6935-4F1B-B0CA-71721D82B344",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:tattile:vega53_firmware:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "09CF177A-3D69-4F47-8028-F83493CF0178",
              "versionEndIncluding": "1.181.5",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:tattile:vega53:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "DA18F44D-09EC-462A-AEE1-2734F74D9214",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:tattile:vega33_firmware:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "FC4C241F-FF66-480B-8708-FDC1814DE167",
              "versionEndIncluding": "1.181.5",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:tattile:vega33:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "88626B12-E13C-4606-81E1-998C74CD6485",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:tattile:vega11_firmware:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "026FF8B9-AEA6-45FF-8FA9-BE97C20A66E1",
              "versionEndIncluding": "1.181.5",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:tattile:vega11:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "918205FF-3BC6-4A38-980A-CE0BF36EE9EF",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:tattile:basic_mk2_firmware:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "72B5F07C-949A-440F-AB94-46C5AF5F46C3",
              "versionEndIncluding": "1.181.5",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:tattile:basic_mk2:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "A59DD6EA-AE66-4AF6-A2F0-5A84F2F809BB",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:tattile:anpr_mobile_firmware:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "FF40F60E-1D89-4A51-B1AC-0BE34878AD1E",
              "versionEndIncluding": "1.181.5",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:tattile:anpr_mobile:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "7456A228-07C2-4E9A-98A9-8485F993C281",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Tattile Smart+, Vega, and Basic device families firmware versions 1.181.5 and prior ship with default credentials that are not forced to be changed during installation or commissioning. An attacker who can reach the management interface can authenticate using the default credentials and gain administrative access, enabling unauthorized access to device configuration and data."
    },
    {
      "lang": "es",
      "value": "Las versiones de firmware 1.181.5 y anteriores de las familias de dispositivos Tattile Smart+, Vega y Basic se env\u00edan con credenciales predeterminadas que no se exige cambiar durante la instalaci\u00f3n o la puesta en marcha. Un atacante que pueda acceder a la interfaz de gesti\u00f3n puede autenticarse usando las credenciales predeterminadas y obtener acceso de administrador, lo que permite el acceso no autorizado a la configuraci\u00f3n y los datos del dispositivo."
    }
  ],
  "id": "CVE-2026-26341",
  "lastModified": "2026-02-26T17:31:23.003",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ],
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "NONE",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 9.3,
          "baseSeverity": "CRITICAL",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "NONE",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "NONE",
          "subIntegrityImpact": "NONE",
          "userInteraction": "NONE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "HIGH",
          "vulnConfidentialityImpact": "HIGH",
          "vulnIntegrityImpact": "HIGH",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "disclosure@vulncheck.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-02-24T20:27:48.103",
  "references": [
    {
      "source": "disclosure@vulncheck.com",
      "tags": [
        "Product"
      ],
      "url": "https://www.tattile.com/"
    },
    {
      "source": "disclosure@vulncheck.com",
      "tags": [
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "https://www.vulncheck.com/advisories/tattile-smart-vega-basic-default-credentials"
    },
    {
      "source": "disclosure@vulncheck.com",
      "tags": [
        "Third Party Advisory",
        "Exploit"
      ],
      "url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2026-5977.php"
    }
  ],
  "sourceIdentifier": "disclosure@vulncheck.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-1392"
        }
      ],
      "source": "disclosure@vulncheck.com",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.