CVE-2026-26340

Summary

Tattile Smart+, Vega, and Basic device families firmware versions 1.181.5 and prior expose RTSP streams without requiring authentication. A remote attacker can connect to the RTSP service and access live video/audio streams without valid credentials, resulting in unauthorized disclosure of surveillance data.

Affected Software

VendorProductVersion RangeStatus
Tattile s.r.l.Smart+0 <= 1.181.5affected
Tattile s.r.l.Tolling+0 <= 1.181.5affected
Tattile s.r.l.Smart+ Speed0 <= 1.181.5affected
Tattile s.r.l.Smart+ Traffic Light0 <= 1.181.5affected
Tattile s.r.l.Axle Counter0 <= 1.181.5affected
Tattile s.r.l.Vega530 <= 1.181.5affected
Tattile s.r.l.Vega330 <= 1.181.5affected
Tattile s.r.l.Vega110 <= 1.181.5affected
Tattile s.r.l.Basic MK20 <= 1.181.5affected
Tattile s.r.l.ANPR Mobile0 <= 1.181.5affected

Weaknesses

  • CWE-306: CWE-306 Missing Authentication for Critical Function

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: yes
    • Technical Impact: partial

References