CVE-2026-26341
Published: 24 February 2026
Summary
CVE-2026-26341 is a critical-severity Use of Default Credentials (CWE-1392) vulnerability in Tattile Smart\+ Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Default Accounts (T1078.001); ranked in the top 5.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and IA-5 (Authenticator Management).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires changing default authenticators prior to first use, preventing authentication with shipped default credentials on the management interface.
Mandates management of accounts including disabling unnecessary default accounts and reviewing access authorizations to block unauthorized administrative access.
Requires establishing and enforcing secure configuration settings, such as forcing credential changes during device installation or commissioning.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability exposes a network-accessible management interface with unchanged default credentials, enabling attackers to authenticate and gain administrative access, directly mapping to T1078.001: Default Accounts.
NVD Description
Tattile Smart+, Vega, and Basic device families firmware versions 1.181.5 and prior ship with default credentials that are not forced to be changed during installation or commissioning. An attacker who can reach the management interface can authenticate using the default…
more
credentials and gain administrative access, enabling unauthorized access to device configuration and data.
Deeper analysisAI
CVE-2026-26341 affects the firmware of Tattile Smart+, Vega, and Basic device families in versions 1.181.5 and prior. These devices ship with default credentials that are not forced to be changed during installation or commissioning, exposing the management interface to authentication using those unchanged credentials.
An attacker who can reach the management interface over the network can exploit this vulnerability with no required privileges, low attack complexity, and no user interaction. Successful exploitation grants administrative access, enabling unauthorized modification of device configuration and access to sensitive data. The issue carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-1392.
Mitigation details are available in vendor and third-party advisories, including those from VulnCheck at https://www.vulncheck.com/advisories/tattile-smart-vega-basic-default-credentials, Zero Science Lab at https://www.zeroscience.mk/en/vulnerabilities/ZSL-2026-5977.php, and the Tattile website at https://www.tattile.com/.
Details
- CWE(s)