CVE-2026-26340
moderate-risk
Published 2026-02-24
Tattile Smart+, Vega, and Basic device families firmware versions 1.181.5 and prior expose RTSP streams without requiring authentication. A remote attacker can connect to the RTSP service and access live video/audio streams without valid credentials, resulting in unauthorized disclosure of surveillance data.
Do I need to act?
-
0.79% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.5/10
High
NETWORK
/ LOW complexity
Affected Products (10)
Smart\+ Firmware
Tolling\+ Firmware
Smart\+ Speed Firmware
Smart\+ Traffic Light Firmware
Axle Counter Firmware
Vega53 Firmware
Vega33 Firmware
Vega11 Firmware
Basic Mk2 Firmware
Anpr Mobile Firmware
Affected Vendors
References (3)
Product
https://www.tattile.com/
Third Party Advisory
https://www.vulncheck.com/advisories/tattile-smart-vega-basic-unauthenticated-rt...
Third Party Advisory
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2026-5978.php
45
/ 100
moderate-risk
Severity
26/34 · High
Exploitability
3/34 · Minimal
Exposure
16/34 · Moderate