Cyber Resilience

CVE-2026-26235

HighPublic PoC

Published: 12 February 2026

Published
12 February 2026
Modified
20 February 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0178 75.4th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-26235 is a high-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Jung-Group Smart Visu Server Firmware. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 24.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).

Deeper analysis

JUNG Smart Visu Server version 1.1.1050 is affected by a denial-of-service vulnerability tracked as CVE-2026-26235. The flaw stems from missing authentication for a critical function (CWE-306) and permits remote attackers to force a server reboot or shutdown by issuing a single unauthenticated POST request.

Any remote attacker with network access can exploit the issue without credentials or user interaction, resulting in high availability impact while leaving confidentiality and integrity unaffected. The CVSS 4.0 score of 8.7 reflects the network attack vector, low complexity, and absence of required privileges.

Public advisories from Zero Science Lab and VulnCheck document the flaw but supply no specific patch or mitigation details in the available references. The associated EPSS score remains flat at 0.0437 with no observed rise after disclosure.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

JUNG Smart Visu Server 1.1.1050 contains a denial of service vulnerability that allows unauthenticated attackers to remotely shutdown or reboot the server. Attackers can send a single POST request to trigger the server reboot without requiring any authentication.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1529 System Shutdown/Reboot Impact
Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems.
Why these techniques?

Missing authentication on a critical function (shutdown/reboot endpoint) in an internet-facing server directly enables remote exploitation of a public-facing application (T1190) to achieve System Shutdown/Reboot (T1529).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-26234Same product: Jung-Group Smart Visu Server
CVE-2017-20222Shared CWE-306
CVE-2026-26368Same vendor: Jung-Group
CVE-2026-4810Shared CWE-306
CVE-2025-53847Shared CWE-306
CVE-2025-61757Shared CWE-306
CVE-2025-68715Shared CWE-306
CVE-2026-21992Shared CWE-306
CVE-2025-26362Shared CWE-306
CVE-2026-48692Shared CWE-306

Affected Assets

jung-group
smart visu server firmware
≤ 1.1.1050

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mandates identifying and risk-based authorizing critical functions like unauthenticated server reboot or shutdown.

prevent

Enforces access control policies to prevent unauthorized logical access to the reboot function via POST requests.

prevent

Provides specific protections against denial-of-service attacks, including those triggered by unauthenticated remote reboot requests.

References