CVE-2026-26341

CRITICAL

Tattile Smart+/Vega/Basic <1.181.5 - Auth Bypass

Title source: llm

Description

Tattile Smart+, Vega, and Basic device families firmware versions 1.181.5 and prior ship with default credentials that are not forced to be changed during installation or commissioning. An attacker who can reach the management interface can authenticate using the default credentials and gain administrative access, enabling unauthorized access to device configuration and data.

References (3)

[Various Sources] https://www.tattile.com/

[Third Party Advisory] https://www.zeroscience.mk/en/vulnerabilities/ZSL-2026-5977.php

[Third Party Advisory] https://www.vulncheck.com/advisories/tattile-smart-vega-basic-default-credentials

Scores

CVSS v3 9.8

EPSS 0.0019

EPSS Percentile 40.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact total

Details

CWE

CWE-1392

Status published

Products (10)

tattile/anpr_mobile_firmware < 1.181.5

tattile/axle_counter_firmware < 1.181.5

tattile/basic_mk2_firmware < 1.181.5

tattile/smart\+_firmware < 1.181.5

tattile/smart\+_speed_firmware < 1.181.5

tattile/smart\+_traffic_light_firmware < 1.181.5

tattile/tolling\+_firmware < 1.181.5

tattile/vega11_firmware < 1.181.5

tattile/vega33_firmware < 1.181.5

tattile/vega53_firmware < 1.181.5

Published Feb 24, 2026

Tracked Since Feb 25, 2026