CVE-2026-26235
Published: 12 February 2026
Summary
CVE-2026-26235 is a high-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Jung-Group Smart Visu Server Firmware. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 24.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).
Deeper analysis
JUNG Smart Visu Server version 1.1.1050 is affected by a denial-of-service vulnerability tracked as CVE-2026-26235. The flaw stems from missing authentication for a critical function (CWE-306) and permits remote attackers to force a server reboot or shutdown by issuing a single unauthenticated POST request.
Any remote attacker with network access can exploit the issue without credentials or user interaction, resulting in high availability impact while leaving confidentiality and integrity unaffected. The CVSS 4.0 score of 8.7 reflects the network attack vector, low complexity, and absence of required privileges.
Public advisories from Zero Science Lab and VulnCheck document the flaw but supply no specific patch or mitigation details in the available references. The associated EPSS score remains flat at 0.0437 with no observed rise after disclosure.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-7032
Vulnerability details
JUNG Smart Visu Server 1.1.1050 contains a denial of service vulnerability that allows unauthenticated attackers to remotely shutdown or reboot the server. Attackers can send a single POST request to trigger the server reboot without requiring any authentication.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Missing authentication on a critical function (shutdown/reboot endpoint) in an internet-facing server directly enables remote exploitation of a public-facing application (T1190) to achieve System Shutdown/Reboot (T1529).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mandates identifying and risk-based authorizing critical functions like unauthenticated server reboot or shutdown.
Enforces access control policies to prevent unauthorized logical access to the reboot function via POST requests.
Provides specific protections against denial-of-service attacks, including those triggered by unauthenticated remote reboot requests.