Plataforma
other
Componente
tattile-smart-vega-basic
Corrigido em
1.181.6
1.181.6
1.181.6
1.181.6
1.181.6
1.181.6
1.181.6
1.181.6
1.181.6
1.181.6
CVE-2026-26340 affects Tattile Smart+, Vega, and Basic device families running firmware versions 0 through 1.181.5. This vulnerability allows a remote attacker to access live video and audio streams via the RTSP service without authentication, leading to unauthorized disclosure of surveillance data. The vulnerability was publicly disclosed on February 24, 2026, and a firmware update is expected to address the issue.
The primary impact of CVE-2026-26340 is the unauthorized exposure of live video and audio streams captured by Tattile surveillance devices. An attacker exploiting this vulnerability could gain real-time access to sensitive areas monitored by these devices, potentially compromising privacy and security. This could include observing private residences, businesses, or critical infrastructure. The lack of authentication means that any attacker with network access to the device can exploit this vulnerability, significantly broadening the potential attack surface. The blast radius extends to anyone who relies on the surveillance data captured by these devices, as the integrity and confidentiality of that data are directly at risk.
CVE-2026-26340 is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are not yet widely available, but the simplicity of the vulnerability suggests that they are likely to emerge. The EPSS score is likely to be assessed as medium, given the ease of exploitation and the potential for significant data exposure. The vulnerability was disclosed publicly on February 24, 2026.
Organizations and individuals utilizing Tattile Smart+, Vega, and Basic surveillance devices are at risk. This includes businesses using these devices for security monitoring, homeowners relying on them for home surveillance, and potentially critical infrastructure facilities where these devices are deployed for security purposes. Legacy configurations with default network settings are particularly vulnerable.
• windows / supply-chain: Monitor network connections for RTSP traffic to Tattile devices. Use PowerShell to check for unusual processes accessing network resources.
Get-NetTCPConnection | Where-Object {$_.RemotePort -eq 554} | Select-Object LocalAddress, RemoteAddress, State• linux / server: Use ss or netstat to identify RTSP connections. Examine system logs for authentication failures related to RTSP.
ss -t tcp -p 554• generic web: Use curl to attempt connecting to the RTSP stream without authentication.
curl rtsp://<device_ip>:554/livedisclosure
Status do Exploit
EPSS
0.53% (percentil 67%)
CISA SSVC
The primary mitigation for CVE-2026-26340 is to upgrade the firmware on affected Tattile Smart+, Vega, and Basic devices to a version that includes the security fix. Tattile is expected to release a patched firmware version soon. Until a patch is available, consider segmenting the network to restrict access to the devices. Implement firewall rules to block external access to the RTSP port (typically 554) on the devices. Monitor network traffic for suspicious RTSP connections originating from unexpected sources. After upgrading the firmware, confirm the fix by attempting to connect to the RTSP stream without authentication; a successful connection indicates the vulnerability remains.
Atualize o firmware do dispositivo Tattile Smart+, Vega ou Basic para uma versão posterior à 1.181.5 para requerer autenticação para aceder aos streams RTSP. Isso evitará o acesso não autorizado aos streams de vídeo e áudio.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2026-26340 is a vulnerability affecting Tattile Smart+, Vega, and Basic devices where RTSP streams can be accessed without authentication, allowing unauthorized viewing of live video/audio.
You are affected if you use a Tattile Smart+, Vega, or Basic device running firmware versions 0 through 1.181.5 and have not yet upgraded to a patched version.
Upgrade the firmware on your Tattile device to a version that includes the security fix. Until a patch is available, restrict network access and monitor for suspicious RTSP connections.
While no active exploitation has been confirmed, the simplicity of the vulnerability suggests that exploitation is likely to occur.
Refer to the Tattile website or contact Tattile support for the official advisory and firmware updates related to CVE-2026-26340.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.