Description
Tattile Smart+, Vega, and Basic device families firmware versions 1.181.5 and prior ship with default credentials that are not forced to be changed during installation or commissioning. An attacker who can reach the management interface can authenticate using the default credentials and gain administrative access, enabling unauthorized access to device configuration and data.
Published: 2026-02-24
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Administrative access via default credentials
Action: Immediate patch
AI Analysis

Impact

Tattile firmware versions up to 1.181.5 embed default administrative credentials that are not required to be changed during device configuration. An attacker who can reach the device’s management interface can authenticate with those defaults and gain full administrative privileges, enabling unauthorized modification of configuration settings and access to collected data. The weakness is identified as CWE‑1392, which describes the use of predictable or hard‑coded credentials that can be easily exploited.

Affected Systems

Affected products are provided by Tattile s.r.l. and include ANPR Mobile, Axle Counter, Basic MK2, Smart+, Smart+ Speed, Smart+ Traffic Light, Tolling+, Vega11, Vega33, and Vega53. Firmware versions 1.181.5 and older are vulnerable; newer releases remove the default credentials.

Risk and Exploitability

The vulnerability carries a CVSS score of 9.3 indicating high severity, but the EPSS score of less than 1 percent reflects a very low measured probability of exploitation at the time of analysis. The vulnerability is not listed in the CISA KEV catalog. Exploitation is achievable by anyone who can reach the management interface, which likely requires network connectivity to the device’s internal management port or an exposed service. No additional prerequisites such as physical access are required beyond network reachability.

Generated by OpenCVE AI on April 16, 2026 at 16:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the device firmware to a version that removes default credentials, such as 1.181.6 or later.
  • If a firmware update is not immediately available, replace the default administrative username and password with a strong, unique credential set and disable any unused default accounts.
  • Restrict external access to the device’s management interface by placing it behind a firewall, requiring VPN access, or limiting permitted IP ranges.

Generated by OpenCVE AI on April 16, 2026 at 16:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 05 Mar 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Iptime
Iptime smart Firmware
CPEs cpe:2.3:o:iptime:smart_firmware:*:*:*:*:*:*:*:*
Vendors & Products Iptime
Iptime smart Firmware

Thu, 26 Feb 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Tattile anpr Mobile Firmware
Tattile axle Counter Firmware
Tattile basic Mk2 Firmware
Tattile smart\+
Tattile smart\+ Firmware
Tattile smart\+ Speed
Tattile smart\+ Speed Firmware
Tattile smart\+ Traffic Light
Tattile smart\+ Traffic Light Firmware
Tattile tolling\+
Tattile tolling\+ Firmware
Tattile vega11 Firmware
Tattile vega33 Firmware
Tattile vega53 Firmware
CPEs cpe:2.3:h:tattile:anpr_mobile:-:*:*:*:*:*:*:*
cpe:2.3:h:tattile:axle_counter:-:*:*:*:*:*:*:*
cpe:2.3:h:tattile:basic_mk2:-:*:*:*:*:*:*:*
cpe:2.3:h:tattile:smart\+:-:*:*:*:*:*:*:*
cpe:2.3:h:tattile:smart\+_speed:-:*:*:*:*:*:*:*
cpe:2.3:h:tattile:smart\+_traffic_light:-:*:*:*:*:*:*:*
cpe:2.3:h:tattile:tolling\+:-:*:*:*:*:*:*:*
cpe:2.3:h:tattile:vega11:-:*:*:*:*:*:*:*
cpe:2.3:h:tattile:vega33:-:*:*:*:*:*:*:*
cpe:2.3:h:tattile:vega53:-:*:*:*:*:*:*:*
cpe:2.3:o:tattile:anpr_mobile_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:tattile:axle_counter_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:tattile:basic_mk2_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:tattile:smart\+_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:tattile:smart\+_speed_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:tattile:smart\+_traffic_light_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:tattile:tolling\+_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:tattile:vega11_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:tattile:vega33_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:tattile:vega53_firmware:*:*:*:*:*:*:*:*
Vendors & Products Tattile anpr Mobile Firmware
Tattile axle Counter Firmware
Tattile basic Mk2 Firmware
Tattile smart\+
Tattile smart\+ Firmware
Tattile smart\+ Speed
Tattile smart\+ Speed Firmware
Tattile smart\+ Traffic Light
Tattile smart\+ Traffic Light Firmware
Tattile tolling\+
Tattile tolling\+ Firmware
Tattile vega11 Firmware
Tattile vega33 Firmware
Tattile vega53 Firmware
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 25 Feb 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Tattile
Tattile anpr Mobile
Tattile axle Counter
Tattile basic Mk2
Tattile smart+
Tattile smart+ Speed
Tattile smart+ Traffic Light
Tattile tolling+
Tattile vega11
Tattile vega33
Tattile vega53
Vendors & Products Tattile
Tattile anpr Mobile
Tattile axle Counter
Tattile basic Mk2
Tattile smart+
Tattile smart+ Speed
Tattile smart+ Traffic Light
Tattile tolling+
Tattile vega11
Tattile vega33
Tattile vega53

Tue, 24 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 24 Feb 2026 19:30:00 +0000

Type Values Removed Values Added
Description Tattile Smart+, Vega, and Basic device families firmware versions 1.181.5 and prior ship with default credentials that are not forced to be changed during installation or commissioning. An attacker who can reach the management interface can authenticate using the default credentials and gain administrative access, enabling unauthorized access to device configuration and data.
Title Tattile Smart+ / Vega / Basic <= 1.181.5 Default Credentials
Weaknesses CWE-1392
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Iptime Smart Firmware
Tattile Anpr Mobile Anpr Mobile Firmware Axle Counter Axle Counter Firmware Basic Mk2 Basic Mk2 Firmware Smart+ Smart+ Speed Smart+ Traffic Light Smart\+ Smart\+ Firmware Smart\+ Speed Smart\+ Speed Firmware Smart\+ Traffic Light Smart\+ Traffic Light Firmware Tolling+ Tolling\+ Tolling\+ Firmware Vega11 Vega11 Firmware Vega33 Vega33 Firmware Vega53 Vega53 Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-05T01:31:06.767Z

Reserved: 2026-02-13T17:28:43.054Z

Link: CVE-2026-26341

cve-icon Vulnrichment

Updated: 2026-02-24T21:33:12.476Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-24T20:27:48.103

Modified: 2026-02-26T17:31:23.003

Link: CVE-2026-26341

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T16:30:15Z

Weaknesses