Platform
other
Component
enet-smart-home-server
Opgelost in
2.3.2
2.2.2
CVE-2026-26369 describes a privilege escalation vulnerability discovered in the eNet SMART HOME server. This flaw allows a low-privileged user to gain administrative access, potentially compromising the entire smart home system. The vulnerability impacts versions 2.2.1 through 2.3.1 of the server software. A patch is available in version 2.3.2.
Successful exploitation of CVE-2026-26369 allows an attacker to elevate a standard user account to the UG_ADMIN role. This grants them complete control over the eNet SMART HOME system, including the ability to modify device configurations, change network settings, and potentially access sensitive data stored within the system. The blast radius extends to all devices managed by the server, as an attacker can manipulate their behavior and access their data. This vulnerability is particularly concerning given the increasing reliance on smart home devices for security and convenience.
CVE-2026-26369 was published on 2026-02-15. Its CRITICAL CVSS score indicates a high probability of exploitation. While no public proof-of-concept (POC) code has been released as of this writing, the ease of exploitation (a simple crafted POST request) suggests that it could be rapidly weaponized. The vulnerability is not currently listed on KEV or EPSS, but its severity warrants close monitoring. Check vendor advisories for updates.
Exploit Status
EPSS
0.02% (5% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2026-26369 is to upgrade the eNet SMART HOME server to version 2.3.2 or later. If an immediate upgrade is not possible due to compatibility issues or system downtime concerns, consider implementing temporary workarounds. While a direct WAF rule is difficult to implement due to the JSON-RPC nature of the exploit, carefully review and restrict access to the /jsonrpc/management endpoint, limiting access to trusted IP addresses or user groups. Monitor system logs for unusual POST requests to this endpoint, specifically those containing user-controlled data in the request body. After upgrading, confirm the fix by attempting to escalate a low-privileged user account and verifying that the elevation fails.
Actualice el servidor eNet SMART HOME a una versión posterior a la 2.3.1 que corrija la vulnerabilidad de escalada de privilegios. Consulte el sitio web del proveedor JUNG para obtener la última versión y las instrucciones de actualización. Asegúrese de seguir las mejores prácticas de seguridad al configurar y administrar su sistema de hogar inteligente.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2026-26369 is a critical vulnerability in eNet SMART HOME server versions 2.2.1–2.3.1 that allows a low-privileged user to escalate to an administrator, gaining full control of the system. This is due to insufficient authorization checks in the setUserGroup JSON-RPC method.
You are affected if you are running eNet SMART HOME server version 2.2.1 or 2.3.1. Versions prior to 2.3.2 are vulnerable to privilege escalation.
Upgrade your eNet SMART HOME server to version 2.3.2 or later to resolve this vulnerability. If immediate upgrade is not possible, restrict access to the /jsonrpc/management endpoint.
While no public exploits are currently known, the ease of exploitation suggests a high likelihood of exploitation. Monitor your systems closely and apply the patch as soon as possible.
Refer to the official eNet security advisory for detailed information and updates regarding CVE-2026-26369. Check the eNet website or contact eNet support for the latest advisory.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.