Cyber Resilience

CVE-2026-41446

Critical

Published: 28 April 2026

Published
28 April 2026
Modified
30 April 2026
KEV Added
Patch
CVSS Score v4 9.2 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0043 34.7th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-41446 is a critical-severity Use of Hard-coded Credentials (CWE-798) vulnerability in Snapone (inferred from references). Its CVSS base score is 9.2 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 34.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and IA-5 (Authenticator Management).

Deeper analysis

Snap One WattBox 800 and 820 series devices running firmware versions prior to 2.10.0.0 are affected by CVE-2026-41446, a vulnerability involving undisclosed diagnostic HTTP endpoints. These endpoints use weak authentication that relies solely on the device's MAC address and service tag, both of which are printed in plaintext on the physical device label. This flaw, tied to CWE-798 (use of hard-coded credentials) and CWE-912 (hidden functionality), allows unauthorized access to sensitive diagnostic features.

Attackers who obtain the MAC address and service tag—through physical access to the device label, documentation, or other means—can remotely authenticate to the endpoints over the network with no privileges required. Successful exploitation enables execution of arbitrary commands as root on the device, potentially leading to full compromise, including high confidentiality, integrity, and availability impacts, as reflected in the CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

The vendor's firmware release notes at https://help.snapone.com/wb-8x0-fw/Content/FW%20RN/8x0/8x0%20series%20FW%20RN.htm detail mitigation through upgrading to firmware version 2.10.0.0 or later, which addresses the exposed endpoints and authentication issues.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Snap One WattBox 800 and 820 series firmware versions prior to 2.10.0.0 contain undisclosed diagnostic HTTP endpoints that require only the device MAC address and service tag for authentication, both of which are printed in plaintext on the physical device…

more

label. Attackers with access to the device label or documentation containing these values can authenticate to the several endpoints and execute arbitrary commands as root on the device.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

Exposed diagnostic HTTP endpoints with weak MAC/service tag auth enable remote exploitation of public-facing application (T1190); leads directly to arbitrary root command execution (T1059.004 Unix Shell).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2010-20103Shared CWE-912
CVE-2025-52376Shared CWE-798
CVE-2020-36911Shared CWE-798
CVE-2026-30701Shared CWE-798
CVE-2026-1952Shared CWE-912
CVE-2026-35503Shared CWE-798
CVE-2017-20234Shared CWE-798
CVE-2024-39754Shared CWE-912
CVE-2026-32834Shared CWE-798
CVE-2025-42890Shared CWE-798

Affected Assets

Snapone
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Flaw remediation requires timely installation of firmware updates like version 2.10.0.0, which directly addresses the exposed diagnostic endpoints and weak authentication.

prevent

Authenticator management prohibits hard-coded or weak authenticators such as the device's MAC address and service tag printed in plaintext on the label.

prevent

Least functionality eliminates unnecessary diagnostic endpoints that enable attackers to execute arbitrary root commands after weak authentication.

References