CVE-2026-26368
Published: 15 February 2026
Summary
CVE-2026-26368 is a high-severity Missing Authorization (CWE-862) vulnerability in Jung-Group Enet Smart Home. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 6.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations to prevent low-privileged users from accessing or modifying higher-privileged accounts via the resetUserPassword method.
Implements least privilege to restrict low-privileged UG_USER accounts from performing administrative password resets on UG_ADMIN or UG_SUPER_ADMIN accounts.
Manages authenticators with procedures requiring proper authorization and current password verification before allowing password changes on arbitrary accounts.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Missing authorization in remote JSON-RPC password reset enables direct account takeover (T1098) of admin accounts from low-priv user, constituting exploitation for privilege escalation (T1068) against a public-facing management endpoint (T1190).
NVD Description
eNet SMART HOME server 2.2.1 and 2.3.1 contains a missing authorization vulnerability in the resetUserPassword JSON-RPC method that allows any authenticated low-privileged user (UG_USER) to reset the password of arbitrary accounts, including those in the UG_ADMIN and UG_SUPER_ADMIN groups, without…
more
supplying the current password or having sufficient privileges. By sending a crafted JSON-RPC request to /jsonrpc/management, an attacker can overwrite existing credentials, resulting in direct account takeover with full administrative access and persistent privilege escalation.
Deeper analysisAI
CVE-2026-26368, published on 2026-02-15, is a missing authorization vulnerability (CWE-862) in the resetUserPassword JSON-RPC method of the eNet SMART HOME server versions 2.2.1 and 2.3.1. The flaw enables any authenticated low-privileged user (UG_USER) to reset the password of arbitrary accounts, including those in the UG_ADMIN and UG_SUPER_ADMIN groups, without supplying the current password or possessing sufficient privileges. Rated at CVSS 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), it allows attackers to send crafted JSON-RPC requests to the /jsonrpc/management endpoint, overwriting existing credentials.
Any authenticated user with minimal UG_USER privileges can exploit this vulnerability remotely over the network with low complexity. Successful exploitation results in direct account takeover of targeted users, including administrators, granting full administrative access and enabling persistent privilege escalation.
Mitigation details are outlined in vendor and researcher advisories, including those from VulnCheck at https://www.vulncheck.com/advisories/jung-enet-smart-home-server-account-takeover-via-r and Zero Science Lab at https://www.zeroscience.mk/en/vulnerabilities/ZSL-2026-5974.php.
Details
- CWE(s)