CVE-2026-41446

Summary

Snap One WattBox 800 and 820 series firmware versions prior to 2.10.0.0 contain undisclosed diagnostic HTTP endpoints that require only the device MAC address and service tag for authentication, both of which are printed in plaintext on the physical device label. Attackers with access to the device label or documentation containing these values can authenticate to the several endpoints and execute arbitrary commands as root on the device.

Affected Software

VendorProductVersion RangeStatus
Snap One, LLCWattBox 8000 < 2.10.0.0affected
Snap One, LLCWattBox 8200 < 2.10.0.0affected

Weaknesses

  • CWE-912: CWE-912 Hidden Functionality
  • CWE-798: CWE-798 Use of Hard-coded Credentials

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: total

References