CVE-2026-26341
Published: 24 February 2026
Summary
CVE-2026-26341 is a critical-severity Use of Default Credentials (CWE-1392) vulnerability in Tattile Smart\+ Firmware. Its CVSS base score is 9.3 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Default Accounts (T1078.001); ranked in the top 16.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and IA-5 (Authenticator Management).
Deeper analysis
CVE-2026-26341 affects the firmware of Tattile Smart+, Vega, and Basic device families in versions 1.181.5 and prior. These devices ship with default credentials that are not forced to be changed during installation or commissioning, exposing the management interface to authentication using those unchanged credentials.
An attacker who can reach the management interface over the network can exploit this vulnerability with no required privileges, low attack complexity, and no user interaction. Successful exploitation grants administrative access, enabling unauthorized modification of device configuration and access to sensitive data. The issue carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-1392.
Mitigation details are available in vendor and third-party advisories, including those from VulnCheck at https://www.vulncheck.com/advisories/tattile-smart-vega-basic-default-credentials, Zero Science Lab at https://www.zeroscience.mk/en/vulnerabilities/ZSL-2026-5977.php, and the Tattile website at https://www.tattile.com/.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-8551
Vulnerability details
Tattile Smart+, Vega, and Basic device families firmware versions 1.181.5 and prior ship with default credentials that are not forced to be changed during installation or commissioning. An attacker who can reach the management interface can authenticate using the default…
more
credentials and gain administrative access, enabling unauthorized access to device configuration and data.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability exposes a network-accessible management interface with unchanged default credentials, enabling attackers to authenticate and gain administrative access, directly mapping to T1078.001: Default Accounts.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires changing default authenticators prior to first use, preventing authentication with shipped default credentials on the management interface.
Mandates management of accounts including disabling unnecessary default accounts and reviewing access authorizations to block unauthorized administrative access.
Requires establishing and enforcing secure configuration settings, such as forcing credential changes during device installation or commissioning.