CVE-2026-26341

Summary

Tattile Smart+, Vega, and Basic device families firmware versions 1.181.5 and prior ship with default credentials that are not forced to be changed during installation or commissioning. An attacker who can reach the management interface can authenticate using the default credentials and gain administrative access, enabling unauthorized access to device configuration and data.

Affected Software

VendorProductVersion RangeStatus
Tattile s.r.l.Smart+0 <= 1.181.5affected
Tattile s.r.l.Tolling+0 <= 1.181.5affected
Tattile s.r.l.Smart+ Speed0 <= 1.181.5affected
Tattile s.r.l.Smart+ Traffic Light0 <= 1.181.5affected
Tattile s.r.l.Axle Counter0 <= 1.181.5affected
Tattile s.r.l.Vega530 <= 1.181.5affected
Tattile s.r.l.Vega330 <= 1.181.5affected
Tattile s.r.l.Vega110 <= 1.181.5affected
Tattile s.r.l.Basic MK20 <= 1.181.5affected
Tattile s.r.l.ANPR Mobile0 <= 1.181.5affected

Weaknesses

  • CWE-1392: CWE-1392 Use of Default Credentials

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: yes
    • Technical Impact: total

References