{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-26366", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2026-02-15T15:02:02.824Z", "datePublished": "2026-02-15T15:29:53.866Z", "dateUpdated": "2026-02-17T16:51:25.025Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-02-15T15:29:53.866Z"}, "datePublic": "2026-02-14T00:00:00.000Z", "title": "JUNG eNet SMART HOME server 2.2.1/2.3.1 Use of Default Credentials", "descriptions": [{"lang": "en", "value": "eNet SMART HOME server 2.2.1 and 2.3.1 ships with default credentials (user:user, admin:admin) that remain active after installation and commissioning without enforcing a mandatory password change. Unauthenticated attackers can use these default credentials to gain administrative access to sensitive smart home configuration and control functions."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Use of Default Credentials", "cweId": "CWE-1392", "type": "CWE"}]}], "affected": [{"vendor": "JUNG", "product": "eNet SMART HOME server", "versions": [{"version": "2.3.1 (46841)", "status": "affected"}, {"version": "2.2.1 (46056)", "status": "affected"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 9.3, "baseSeverity": "CRITICAL", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS"}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS"}], "references": [{"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2026-5972.php", "name": "Zero Science Lab Vulnerability Advisory ZSL-2026-5972", "tags": ["third-party-advisory"]}, {"name": "VulnCheck Advisory: JUNG eNet SMART HOME server 2.2.1/2.3.1 Use of Default Credentials", "tags": ["third-party-advisory"], "url": "https://www.vulncheck.com/advisories/jung-enet-smart-home-server-use-of-default-credent"}], "credits": [{"lang": "en", "value": "LiquidWorm as Gjoko Krstic of Zero Science Lab", "type": "finder"}], "x_generator": {"engine": "vulncheck"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-17T16:51:12.509834Z", "id": "CVE-2026-26366", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-17T16:51:25.025Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-26366", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-17T16:51:12.509834Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-17T15:19:00.223Z"}}], "cna": {"title": "JUNG eNet SMART HOME server 2.2.1/2.3.1 Use of Default Credentials", "credits": [{"lang": "en", "type": "finder", "value": "LiquidWorm as Gjoko Krstic of Zero Science Lab"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 9.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "JUNG", "product": "eNet SMART HOME server", "versions": [{"status": "affected", "version": "2.3.1 (46841)"}, {"status": "affected", "version": "2.2.1 (46056)"}]}], "datePublic": "2026-02-14T00:00:00.000Z", "references": [{"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2026-5972.php", "name": "Zero Science Lab Vulnerability Advisory ZSL-2026-5972", "tags": ["third-party-advisory"]}, {"url": "https://www.vulncheck.com/advisories/jung-enet-smart-home-server-use-of-default-credent", "name": "VulnCheck Advisory: JUNG eNet SMART HOME server 2.2.1/2.3.1 Use of Default Credentials", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "vulncheck"}, "descriptions": [{"lang": "en", "value": "eNet SMART HOME server 2.2.1 and 2.3.1 ships with default credentials (user:user, admin:admin) that remain active after installation and commissioning without enforcing a mandatory password change. Unauthenticated attackers can use these default credentials to gain administrative access to sensitive smart home configuration and control functions."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1392", "description": "Use of Default Credentials"}]}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-02-15T15:29:53.866Z"}}}, "cveMetadata": {"cveId": "CVE-2026-26366", "state": "PUBLISHED", "dateUpdated": "2026-02-17T16:51:25.025Z", "dateReserved": "2026-02-15T15:02:02.824Z", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "datePublished": "2026-02-15T15:29:53.866Z", "assignerShortName": "VulnCheck"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:jung-group:enet_smart_home:2.2.1:*:*:*:*:*:*:*", "matchCriteriaId": "4B230A5E-D3D3-4F14-8F2C-6230798C0A61", "vulnerable": true}, {"criteria": "cpe:2.3:a:jung-group:enet_smart_home:2.3.1:*:*:*:*:*:*:*", "matchCriteriaId": "B80A70BE-E277-40FC-9E03-C5D31F9DAD5B", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "eNet SMART HOME server 2.2.1 and 2.3.1 ships with default credentials (user:user, admin:admin) that remain active after installation and commissioning without enforcing a mandatory password change. Unauthenticated attackers can use these default credentials to gain administrative access to sensitive smart home configuration and control functions."}, {"lang": "es", "value": "El servidor eNet SMART HOME 2.2.1 y 2.3.1 se env\u00eda con credenciales predeterminadas (usuario:usuario, admin:admin) que permanecen activas despu\u00e9s de la instalaci\u00f3n y puesta en marcha sin forzar un cambio de contrase\u00f1a obligatorio. Atacantes no autenticados pueden usar estas credenciales predeterminadas para obtener acceso administrativo a funciones sensibles de configuraci\u00f3n y control del hogar inteligente."}], "id": "CVE-2026-26366", "lastModified": "2026-02-26T22:44:42.813", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "disclosure@vulncheck.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "disclosure@vulncheck.com", "type": "Secondary"}]}, "published": "2026-02-15T16:15:53.870", "references": [{"source": "disclosure@vulncheck.com", "tags": ["Broken Link"], "url": "https://www.vulncheck.com/advisories/jung-enet-smart-home-server-use-of-default-credent"}, {"source": "disclosure@vulncheck.com", "tags": ["Third Party Advisory", "Exploit"], "url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2026-5972.php"}], "sourceIdentifier": "disclosure@vulncheck.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1392"}], "source": "disclosure@vulncheck.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "2.3.1 (46841)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "2.2.1 (46056)"}}], "product": "enet_smart_home_server", "vendor": "jung"}], "analysis": {"en": {"generated_at": "2026-04-17T19:19:59.492005+00:00", "value": {"mitigation_remediation": ["Upgrade the device to the latest firmware that removes or disables the default credentials or that requires a mandatory password change upon first use.", "Immediately change the default \u201cuser\u201d and \u201cadmin\u201d passwords to strong, unique values and disable the default accounts if the firmware allows.", "Restrict network access to the eNet SMART HOME server by placing it behind a firewall or in a dedicated, isolated network zone so that only trusted devices can communicate with it."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized Administrative Access"}, "threat_synthesis": {"affected_systems": "The vulnerability affects Jung Group\u2019s eNet SMART HOME server, specifically versions 2.2.1 and 2.3.1. Only devices running these firmware releases are impacted.", "description_and_impact": "The eNet SMART HOME server releases 2.2.1 and 2.3.1 contain active default user accounts that do not prompt for a password change after installation. Unauthenticated users can log in with the known credentials and gain full administrative control over the device\u2019s configuration and smart home device management functions. This allows an attacker to modify system settings, disconnect or connect smart devices, and potentially intercept or tamper with home network traffic controlled by the server.", "risk_and_exploitability": "The CVSS v3 score of 9.3 indicates a high severity flaw; the exploitability is virtually trivial because an attacker only needs to know the default credentials and does not require additional code execution. The EPSS score of less than 1% suggests that, statistically, the probability of exploitation is low at this time, yet the fact that no password change is enforced makes it a high value target for opportunistic attackers. The flaw is not currently catalogued in CISA\u2019s KEV list, but its presence makes it a priority for administrators to remediate."}}}}, "created": "2026-02-16T09:42:49.456000+00:00", "updated": "2026-04-17T19:30:15.631792+00:00", "vendors": ["jung", "jung$PRODUCT$enet_smart_home_server"]}