CVE-2026-41446
Published: 28 April 2026
Summary
CVE-2026-41446 is a critical-severity Use of Hard-coded Credentials (CWE-798) vulnerability in Snapone (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 24.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and IA-5 (Authenticator Management).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Flaw remediation requires timely installation of firmware updates like version 2.10.0.0, which directly addresses the exposed diagnostic endpoints and weak authentication.
Authenticator management prohibits hard-coded or weak authenticators such as the device's MAC address and service tag printed in plaintext on the label.
Least functionality eliminates unnecessary diagnostic endpoints that enable attackers to execute arbitrary root commands after weak authentication.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Exposed diagnostic HTTP endpoints with weak MAC/service tag auth enable remote exploitation of public-facing application (T1190); leads directly to arbitrary root command execution (T1059.004 Unix Shell).
NVD Description
Snap One WattBox 800 and 820 series firmware versions prior to 2.10.0.0 contain undisclosed diagnostic HTTP endpoints that require only the device MAC address and service tag for authentication, both of which are printed in plaintext on the physical device…
more
label. Attackers with access to the device label or documentation containing these values can authenticate to the several endpoints and execute arbitrary commands as root on the device.
Deeper analysisAI
Snap One WattBox 800 and 820 series devices running firmware versions prior to 2.10.0.0 are affected by CVE-2026-41446, a vulnerability involving undisclosed diagnostic HTTP endpoints. These endpoints use weak authentication that relies solely on the device's MAC address and service tag, both of which are printed in plaintext on the physical device label. This flaw, tied to CWE-798 (use of hard-coded credentials) and CWE-912 (hidden functionality), allows unauthorized access to sensitive diagnostic features.
Attackers who obtain the MAC address and service tag—through physical access to the device label, documentation, or other means—can remotely authenticate to the endpoints over the network with no privileges required. Successful exploitation enables execution of arbitrary commands as root on the device, potentially leading to full compromise, including high confidentiality, integrity, and availability impacts, as reflected in the CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
The vendor's firmware release notes at https://help.snapone.com/wb-8x0-fw/Content/FW%20RN/8x0/8x0%20series%20FW%20RN.htm detail mitigation through upgrading to firmware version 2.10.0.0 or later, which addresses the exposed endpoints and authentication issues.
Details
- CWE(s)