CVE-2026-26341
moderate-risk
Published 2026-02-24
Tattile Smart+, Vega, and Basic device families firmware versions 1.181.5 and prior ship with default credentials that are not forced to be changed during installation or commissioning. An attacker who can reach the management interface can authenticate using the default credentials and gain administrative access, enabling unauthorized access to device configuration and data.
Do I need to act?
-
0.19% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.8/10
Critical
NETWORK
/ LOW complexity
Affected Products (10)
Smart\+ Firmware
Tolling\+ Firmware
Smart\+ Speed Firmware
Smart\+ Traffic Light Firmware
Axle Counter Firmware
Vega53 Firmware
Vega33 Firmware
Vega11 Firmware
Basic Mk2 Firmware
Anpr Mobile Firmware
Affected Vendors
References (3)
Product
https://www.tattile.com/
Third Party Advisory
https://www.vulncheck.com/advisories/tattile-smart-vega-basic-default-credential...
Third Party Advisory
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2026-5977.php
49
/ 100
moderate-risk
Severity
32/34 · Critical
Exploitability
1/34 · Minimal
Exposure
16/34 · Moderate