CVE-2026-26341

Tattile Smart+, Vega, and Basic device families firmware versions 1.181.5 and prior ship with default credentials that are not forced to be changed during installation or commissioning. An attacker who can reach the management interface can authenticate using the default credentials and gain administrative access, enabling unauthorized access to device configuration and data.
Configurations

Configuration 1 (hide)

AND
cpe:2.3:o:tattile:smart\+_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:tattile:smart\+:-:*:*:*:*:*:*:*

Configuration 2 (hide)

AND
cpe:2.3:o:tattile:tolling\+_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:tattile:tolling\+:-:*:*:*:*:*:*:*

Configuration 3 (hide)

AND
cpe:2.3:o:tattile:smart\+_speed_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:tattile:smart\+_speed:-:*:*:*:*:*:*:*

Configuration 4 (hide)

AND
cpe:2.3:o:tattile:smart\+_traffic_light_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:tattile:smart\+_traffic_light:-:*:*:*:*:*:*:*

Configuration 5 (hide)

AND
cpe:2.3:o:tattile:axle_counter_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:tattile:axle_counter:-:*:*:*:*:*:*:*

Configuration 6 (hide)

AND
cpe:2.3:o:tattile:vega53_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:tattile:vega53:-:*:*:*:*:*:*:*

Configuration 7 (hide)

AND
cpe:2.3:o:tattile:vega33_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:tattile:vega33:-:*:*:*:*:*:*:*

Configuration 8 (hide)

AND
cpe:2.3:o:tattile:vega11_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:tattile:vega11:-:*:*:*:*:*:*:*

Configuration 9 (hide)

AND
cpe:2.3:o:tattile:basic_mk2_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:tattile:basic_mk2:-:*:*:*:*:*:*:*

Configuration 10 (hide)

AND
cpe:2.3:o:tattile:anpr_mobile_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:tattile:anpr_mobile:-:*:*:*:*:*:*:*

History

17 Jun 2026, 10:26

Type Values Removed Values Added
Summary
  • (es) Las versiones de firmware 1.181.5 y anteriores de las familias de dispositivos Tattile Smart+, Vega y Basic se envían con credenciales predeterminadas que no se exige cambiar durante la instalación o la puesta en marcha. Un atacante que pueda acceder a la interfaz de gestión puede autenticarse usando las credenciales predeterminadas y obtener acceso de administrador, lo que permite el acceso no autorizado a la configuración y los datos del dispositivo.
References () https://www.zeroscience.mk/en/vulnerabilities/ZSL-2026-5977.php - Third Party Advisory, Exploit () https://www.zeroscience.mk/en/vulnerabilities/ZSL-2026-5977.php - Exploit, Third Party Advisory

26 Feb 2026, 17:31

Type Values Removed Values Added
First Time Tattile basic Mk2
Tattile tolling\+
Tattile vega33
Tattile smart\+ Speed Firmware
Tattile axle Counter Firmware
Tattile smart\+ Traffic Light Firmware
Tattile vega33 Firmware
Tattile smart\+
Tattile
Tattile anpr Mobile Firmware
Tattile tolling\+ Firmware
Tattile smart\+ Traffic Light
Tattile basic Mk2 Firmware
Tattile vega53
Tattile axle Counter
Tattile smart\+ Speed
Tattile vega53 Firmware
Tattile anpr Mobile
Tattile vega11 Firmware
Tattile smart\+ Firmware
Tattile vega11
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 9.8
References () https://www.tattile.com/ - () https://www.tattile.com/ - Product
References () https://www.vulncheck.com/advisories/tattile-smart-vega-basic-default-credentials - () https://www.vulncheck.com/advisories/tattile-smart-vega-basic-default-credentials - Third Party Advisory, VDB Entry
References () https://www.zeroscience.mk/en/vulnerabilities/ZSL-2026-5977.php - () https://www.zeroscience.mk/en/vulnerabilities/ZSL-2026-5977.php - Third Party Advisory, Exploit
CPE cpe:2.3:o:tattile:axle_counter_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:tattile:tolling\+:-:*:*:*:*:*:*:*
cpe:2.3:o:tattile:vega33_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:tattile:vega53_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:tattile:vega53:-:*:*:*:*:*:*:*
cpe:2.3:h:tattile:smart\+_traffic_light:-:*:*:*:*:*:*:*
cpe:2.3:h:tattile:smart\+_speed:-:*:*:*:*:*:*:*
cpe:2.3:h:tattile:anpr_mobile:-:*:*:*:*:*:*:*
cpe:2.3:o:tattile:basic_mk2_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:tattile:smart\+_traffic_light_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:tattile:basic_mk2:-:*:*:*:*:*:*:*
cpe:2.3:o:tattile:vega11_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:tattile:tolling\+_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:tattile:anpr_mobile_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:tattile:vega33:-:*:*:*:*:*:*:*
cpe:2.3:o:tattile:smart\+_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:tattile:vega11:-:*:*:*:*:*:*:*
cpe:2.3:h:tattile:smart\+:-:*:*:*:*:*:*:*
cpe:2.3:o:tattile:smart\+_speed_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:tattile:axle_counter:-:*:*:*:*:*:*:*

24 Feb 2026, 20:27

Type Values Removed Values Added
New CVE

Information

Published : 2026-02-24 20:27

Updated : 2026-06-17 10:26


NVD link : CVE-2026-26341

Mitre link : CVE-2026-26341

CVE.ORG link : CVE-2026-26341


JSON object : View

Products Affected

tattile

  • vega11_firmware
  • smart\+_speed_firmware
  • smart\+_speed
  • axle_counter
  • smart\+_traffic_light
  • tolling\+_firmware
  • axle_counter_firmware
  • tolling\+
  • vega11
  • vega53_firmware
  • smart\+
  • vega53
  • anpr_mobile_firmware
  • vega33
  • anpr_mobile
  • vega33_firmware
  • basic_mk2_firmware
  • smart\+_firmware
  • basic_mk2
  • smart\+_traffic_light_firmware
CWE
CWE-1392

Use of Default Credentials