CVE-2022-26671

HIGH

Taiwan Secom Dr.ID Access Control - Info Disclosure

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2022-26671. PoCs published by DefensiveOrigins.

AI-analyzed exploit summary This repository provides a writeup for CVE-2022-26671, detailing a hardcoded credential vulnerability in the login page of a specific software. The cleartext credentials 'secom | supervisor' are exposed in the HTTP response body.

Description

Taiwan Secom Dr.ID Access Control system’s login page has a hard-coded credential in the source code. An unauthenticated remote attacker can use the hard-coded credential to acquire partial system information and modify system setting to cause partial disrupt of service.

Exploits (1)

nomisec WRITEUP

by DefensiveOrigins · poc

https://github.com/DefensiveOrigins/POC-CVE-2022-26671

View Code ZIP pw:eip

This repository provides a writeup for CVE-2022-26671, detailing a hardcoded credential vulnerability in the login page of a specific software. The cleartext credentials 'secom | supervisor' are exposed in the HTTP response body.

Classification

Writeup 90%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: Unknown (likely a web application with AT/ATDefault.aspx endpoint)

No auth needed

Prerequisites: Access to the vulnerable endpoint /AT/ATDefault.aspx

MITRE ATT&CK

T1552 - Unsecured Credentials

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1

Core References

Third Party Advisory x_refsource_misc

https://www.twcert.org.tw/tw/cp-132-5971-b691f-1.html

Scores

CVSS v3 7.3

EPSS 0.0091

EPSS Percentile 55.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Details

CWE

CWE-798

Status published

Products (2)

secom/dr.id_access_control 3.3.2

secom/dr.id_attendance_system 3.4.0.0.3.11

Published Apr 07, 2022

Tracked Since Feb 18, 2026