CVE-2026-26235

HighPublic PoC

Published: 12 February 2026

Published

12 February 2026

Modified

20 February 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Score 0.0437 89.0th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-26235 is a high-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Jung-Group Smart Visu Server Firmware. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 11.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-14 Permitted Actions Without Identification or Authentication good match

prevent

Directly mandates identifying and risk-based authorizing critical functions like unauthenticated server reboot or shutdown.

AC-3 Access Enforcement good match

prevent

Enforces access control policies to prevent unauthorized logical access to the reboot function via POST requests.

SC-5 Denial-of-service Protection good match

prevent

Provides specific protections against denial-of-service attacks, including those triggered by unauthenticated remote reboot requests.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1529 System Shutdown/Reboot Impact

Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems.

attack.mitre.org →

Why these techniques?

Missing authentication on a critical function (shutdown/reboot endpoint) in an internet-facing server directly enables remote exploitation of a public-facing application (T1190) to achieve System Shutdown/Reboot (T1529).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

JUNG Smart Visu Server 1.1.1050 contains a denial of service vulnerability that allows unauthenticated attackers to remotely shutdown or reboot the server. Attackers can send a single POST request to trigger the server reboot without requiring any authentication.

Deeper analysisAI

JUNG Smart Visu Server version 1.1.1050 is affected by CVE-2026-26235, a denial of service vulnerability classified under CWE-306 (Missing Authentication for Critical Function). Published on 2026-02-12, the issue carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high-impact availability disruption with no confidentiality or integrity effects. The vulnerability arises from a lack of authentication checks, enabling remote server shutdown or reboot via a single POST request.

Unauthenticated attackers with network access can exploit this flaw remotely and with low complexity, requiring no privileges, user interaction, or special conditions. Exploitation triggers an immediate server reboot or shutdown, rendering the service unavailable and potentially disrupting connected systems or users dependent on the Smart Visu Server.

Advisories from VulnCheck and Zero Science Labs detail the vulnerability and exploitation mechanics. For mitigation guidance, patches, or workarounds, refer to https://www.vulncheck.com/advisories/jung-smart-visu-server-jung-smart-visu-server-missing-authentication and https://www.zeroscience.mk/en/vulnerabilities/ZSL-2026-5971.php.