CVE-2026-26366
Published: 15 February 2026
Summary
CVE-2026-26366 is a critical-severity Use of Default Credentials (CWE-1392) vulnerability in Jung-Group Enet Smart Home. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Default Accounts (T1078.001); ranked at the 21.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and AC-2 (Account Management).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
IA-5 directly prohibits the use of default authenticators and requires implementation of initial authenticator change requirements, comprehensively preventing exploitation of unchanged default credentials.
AC-2 requires management of system accounts including disabling unnecessary or inactive accounts, addressing default accounts that remain active post-installation.
CM-6 mandates establishment and implementation of secure configuration settings, enabling enforcement of mandatory password changes or disabling of default credentials.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Default credentials on network-accessible admin interface directly enable initial access via valid default accounts (T1078.001) over external remote services (T1133).
NVD Description
eNet SMART HOME server 2.2.1 and 2.3.1 ships with default credentials (user:user, admin:admin) that remain active after installation and commissioning without enforcing a mandatory password change. Unauthenticated attackers can use these default credentials to gain administrative access to sensitive smart…
more
home configuration and control functions.
Deeper analysisAI
CVE-2026-26366 affects the eNet SMART HOME server in versions 2.2.1 and 2.3.1, which ship with default credentials (user:user and admin:admin) that remain active post-installation and commissioning without requiring a mandatory password change. This vulnerability, classified under CWE-1392 (Use of Default Credentials), enables unauthenticated access to administrative functions for sensitive smart home configuration and control. It carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its network accessibility and high impact on confidentiality, integrity, and availability.
Unauthenticated attackers with network access to the eNet SMART HOME server can exploit this issue by simply using the default credentials to log in and gain full administrative privileges. Successful exploitation allows control over smart home devices, configuration settings, and potentially connected IoT endpoints, enabling unauthorized surveillance, device manipulation, or disruption of home automation services without requiring privileges, user interaction, or complex preconditions.
Mitigation details are outlined in advisories from VulnCheck (https://www.vulncheck.com/advisories/jung-enet-smart-home-server-use-of-default-credent) and Zero Science (https://www.zeroscience.mk/en/vulnerabilities/ZSL-2026-5972.php), published around the CVE disclosure on 2026-02-15. Security practitioners should review these for vendor-recommended remediation steps, such as immediate credential changes and configuration hardening.
Details
- CWE(s)