CVE-2026-26366
Default Credentials in eNet SMART HOME Server Allow Admin Access
Publication date: 2026-02-15
Last updated on: 2026-02-26
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| jung-group | enet_smart_home | 2.2.1 |
| jung-group | enet_smart_home | 2.3.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1392 | The product uses default credentials (such as passwords or cryptographic keys) for potentially critical functionality. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The eNet SMART HOME server versions 2.2.1 and 2.3.1 have a critical vulnerability because they ship with default credentials (user:user, admin:admin) that remain active after installation without requiring users to change them.
This flaw allows unauthenticated attackers to use these default credentials to gain administrative access to the smart home system.
Attackers can perform actions such as arbitrary user deletions via the deleteUserAccount function, which can lead to system compromise, denial of service, and privilege escalation.
How can this vulnerability impact me? :
If exploited, this vulnerability allows unauthorized attackers to gain full administrative access to the smart home system.
- Compromise of sensitive smart home configuration and control functions.
- Potential deletion of user accounts, disrupting system access.
- Denial of Service (DoS) conditions caused by malicious actions.
- Privilege escalation, allowing attackers to perform actions beyond their intended permissions.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking if the eNet SMART HOME server is accessible using the default credentials (user:user, admin:admin). An unauthenticated attacker can log in with these credentials to gain administrative access.'}, {'type': 'paragraph', 'content': "To detect this on your system or network, you can attempt to connect to the server's management interface and try logging in with the default usernames and passwords."}, {'type': 'paragraph', 'content': 'Since the affected system runs on GNU/Linux with Jetty server, you might use tools like curl or wget to test login endpoints or use telnet/ssh if applicable.'}, {'type': 'list_item', 'content': "curl -X POST -d 'username=admin&password=admin' http://<target-ip>/login"}, {'type': 'list_item', 'content': "curl -X POST -d 'username=user&password=user' http://<target-ip>/login"}, {'type': 'list_item', 'content': 'Attempt to access the deleteUserAccount function or other administrative endpoints to verify if unauthorized access is possible.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include changing the default credentials (user:user, admin:admin) to strong, unique passwords immediately after installation and commissioning.
If possible, restrict network access to the eNet SMART HOME server to trusted hosts only, using firewall rules or network segmentation.
Monitor the system for any unauthorized access attempts, especially targeting administrative functions like deleteUserAccount.
Since the vendor has not yet responded with a patch, consider disabling remote access to the server until a fix is available.