Cyber Resilience

CVE-2026-26366

CriticalPublic PoC

Published: 15 February 2026

Published
15 February 2026
Modified
26 February 2026
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0065 46.4th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-26366 is a critical-severity Use of Default Credentials (CWE-1392) vulnerability in Jung-Group Enet Smart Home. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Default Accounts (T1078.001); ranked at the 46.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and AC-2 (Account Management).

Deeper analysis

CVE-2026-26366 affects the eNet SMART HOME server in versions 2.2.1 and 2.3.1, which ship with default credentials (user:user and admin:admin) that remain active post-installation and commissioning without requiring a mandatory password change. This vulnerability, classified under CWE-1392 (Use of Default Credentials), enables unauthenticated access to administrative functions for sensitive smart home configuration and control. It carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its network accessibility and high impact on confidentiality, integrity, and availability.

Unauthenticated attackers with network access to the eNet SMART HOME server can exploit this issue by simply using the default credentials to log in and gain full administrative privileges. Successful exploitation allows control over smart home devices, configuration settings, and potentially connected IoT endpoints, enabling unauthorized surveillance, device manipulation, or disruption of home automation services without requiring privileges, user interaction, or complex preconditions.

Mitigation details are outlined in advisories from VulnCheck (https://www.vulncheck.com/advisories/jung-enet-smart-home-server-use-of-default-credent) and Zero Science (https://www.zeroscience.mk/en/vulnerabilities/ZSL-2026-5972.php), published around the CVE disclosure on 2026-02-15. Security practitioners should review these for vendor-recommended remediation steps, such as immediate credential changes and configuration hardening.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

eNet SMART HOME server 2.2.1 and 2.3.1 ships with default credentials (user:user, admin:admin) that remain active after installation and commissioning without enforcing a mandatory password change. Unauthenticated attackers can use these default credentials to gain administrative access to sensitive smart…

more

home configuration and control functions.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1078.001 Default Accounts Stealth
Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
T1133 External Remote Services Persistence
Adversaries may leverage external-facing remote services to initially access and/or persist within a network.
Why these techniques?

Default credentials on network-accessible admin interface directly enable initial access via valid default accounts (T1078.001) over external remote services (T1133).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-26369Same product: Jung-Group Enet Smart Home
CVE-2026-26367Same product: Jung-Group Enet Smart Home
CVE-2026-26368Same product: Jung-Group Enet Smart Home
CVE-2024-12013Shared CWE-1392
CVE-2025-2398Shared CWE-1392
CVE-2025-54756Shared CWE-1392
CVE-2026-26235Same vendor: Jung-Group
CVE-2022-50803Shared CWE-1392
CVE-2026-26341Shared CWE-1392
CVE-2026-7365Shared CWE-1392

Affected Assets

jung-group
enet smart home
2.2.1, 2.3.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

IA-5 directly prohibits the use of default authenticators and requires implementation of initial authenticator change requirements, comprehensively preventing exploitation of unchanged default credentials.

prevent

AC-2 requires management of system accounts including disabling unnecessary or inactive accounts, addressing default accounts that remain active post-installation.

prevent

CM-6 mandates establishment and implementation of secure configuration settings, enabling enforcement of mandatory password changes or disabling of default credentials.

References