cbcvebase.
CVE-2026-26341
published 2026-02-24

CVE-2026-26341: Tattile Smart+, Vega, and Basic device families firmware versions 1.181.5 and prior ship with default credentials that are not forced to be changed during…

PriorityP277critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
2.66%
83.8th percentile
Tattile Smart+, Vega, and Basic device families firmware versions 1.181.5 and prior ship with default credentials that are not forced to be changed during installation or commissioning. An attacker who can reach the management interface can authenticate using the default credentials and gain administrative access, enabling unauthorized access to device configuration and data.

Affected

20 ranges
VendorProductVersion rangeFixed in
tattileanpr_mobile_firmware<= 1.181.5
tattileaxle_counter_firmware<= 1.181.5
tattilebasic_mk2_firmware<= 1.181.5
tattilesmart_+_firmware<= 1.181.5
tattilesmart_+_speed_firmware<= 1.181.5
tattilesmart_+_traffic_light_firmware<= 1.181.5
tattiletolling_+_firmware<= 1.181.5
tattilevega11_firmware<= 1.181.5
tattilevega33_firmware<= 1.181.5
tattilevega53_firmware<= 1.181.5
tattile_s.r.lanpr_mobile<= 1.181.5
tattile_s.r.laxle_counter<= 1.181.5
tattile_s.r.lbasic_mk2<= 1.181.5
tattile_s.r.lsmart<= 1.181.5
tattile_s.r.lsmart+_speed<= 1.181.5
tattile_s.r.lsmart+_traffic_light<= 1.181.5
tattile_s.r.ltolling<= 1.181.5
tattile_s.r.lvega11<= 1.181.5
tattile_s.r.lvega33<= 1.181.5
tattile_s.r.lvega53<= 1.181.5

Detection & IOCsextracted from sources · hover to see the quote

urlGET /api/v1/security/login HTTP/1.1
otherBasic c3VwZXJ1c2VyOnN1cGVydXNlcg==
path/api/v1/security/login
  • Fingerprint Tattile camera management interface by checking HTTP response body for the string 'Tattile camera manager' on port 80/443.
  • Shodan query to identify exposed Tattile camera management interfaces: http.html:"Tattile camera manager"
  • FOFA query to identify Tattile devices by icon hash: icon_hash=="2030104257"
  • Successful default-credential login to /api/v1/security/login returns HTTP 200 with content-type text/plain and a UUID-format session token in the body (regex: ^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$).
  • Default credentials used are superuser:superuser, encoded as Base64 'c3VwZXJ1c2VyOnN1cGVydXNlcg==' in the HTTP Basic Authorization header against the /api/v1/security/login endpoint.
  • ·Affected firmware versions are 1.181.5 and prior across Tattile Smart+, Vega, and Basic device families. The vulnerability is only exploitable if the management interface is network-reachable.
  • ·The Nuclei template uses a two-step flow: first confirm the Tattile camera manager page is present (HTTP 200 + body match), then attempt the default-credential login. Both conditions must be satisfied for a positive detection.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.