CVE-2026-26340
Received Received - Intake
Unauthorized RTSP Access in Tattile Smart+ Firmware Exposes Streams

Publication date: 2026-02-24

Last updated on: 2026-02-26

Assigner: VulnCheck

Description
Tattile Smart+, Vega, and Basic device families firmware versions 1.181.5 and prior expose RTSP streams without requiring authentication. A remote attacker can connect to the RTSP service and access live video/audio streams without valid credentials, resulting in unauthorized disclosure of surveillance data.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-24
Last Modified
2026-02-26
Generated
2026-06-16
AI Q&A
2026-02-24
EPSS Evaluated
2026-06-15
NVD
CVE-2026-26340
EUVD
EUVD-2026-8550
Affected Vendors & Products
Showing 10 associated CPEs
Vendor Product Version / Range
tattile smart+_firmware to 1.181.5 (inc)
tattile tolling+_firmware to 1.181.5 (inc)
tattile smart+_speed_firmware to 1.181.5 (inc)
tattile smart+_traffic_light_firmware to 1.181.5 (inc)
tattile axle_counter_firmware to 1.181.5 (inc)
tattile vega53_firmware to 1.181.5 (inc)
tattile vega33_firmware to 1.181.5 (inc)
tattile vega11_firmware to 1.181.5 (inc)
tattile basic_mk2_firmware to 1.181.5 (inc)
tattile anpr_mobile_firmware to 1.181.5 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-26340 affects Tattile Smart+, Vega, and Basic device families with firmware versions 1.181.5 and earlier. These devices expose RTSP (Real-Time Streaming Protocol) streams without requiring any authentication.

A remote attacker can connect to the RTSP service and access live video and audio streams without valid credentials, resulting in unauthorized disclosure of surveillance data.

This vulnerability is classified under CWE-306 (Missing Authentication for Critical Function) and has a high severity rating with a CVSS v4 score of 8.7.

Impact Analysis

This vulnerability allows unauthorized remote attackers to access live video and audio streams from affected Tattile devices without any authentication.

As a result, sensitive surveillance data can be exposed, potentially compromising privacy and security.

The exposure of live surveillance streams can lead to unauthorized monitoring and misuse of sensitive information captured by these cameras.

Compliance Impact

I don't know

Detection Guidance

This vulnerability involves Tattile devices exposing RTSP streams without authentication, allowing unauthorized access to live video and audio streams.

To detect this vulnerability on your network or system, you can scan for open RTSP services on devices running firmware version 1.181.5 or earlier from the affected Tattile product families.

A common approach is to use network scanning tools like nmap to identify devices with open RTSP ports (default port 554). For example, you can run the following command to scan a target IP or subnet:

  • nmap -p 554 --open <target-ip-or-subnet>

Once an open RTSP port is found, you can attempt to connect to the RTSP stream using tools like VLC or ffmpeg without providing credentials to verify if authentication is required.

  • ffmpeg -i rtsp://<target-ip>:554/stream
  • vlc rtsp://<target-ip>:554/stream

If the stream is accessible without authentication, the device is vulnerable.

Mitigation Strategies

[{'type': 'paragraph', 'content': "Immediate mitigation steps include restricting network access to the affected devices' RTSP service to trusted users only."}, {'type': 'paragraph', 'content': 'You should implement network segmentation and firewall rules to block unauthorized external access to port 554 (RTSP) on these devices.'}, {'type': 'paragraph', 'content': 'If possible, disable the RTSP service temporarily until a firmware update is available.'}, {'type': 'paragraph', 'content': 'Monitor vendor announcements and plan to apply the official patch expected around May 2026 (week 19) that addresses this vulnerability.'}, {'type': 'paragraph', 'content': 'Additionally, consider changing default credentials and reviewing device configurations to enhance security.'}] [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-26340. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart