CVE-2026-41446

Received
Published: 28 Apr 2026, 21:15
Last modified:28 Apr 2026, 21:15

Vulnerability Summary

Overall Risk (default)
high
70/100
CVSS Score
9.2 CRITICAL
v4.0 (cve.org)
EPSS Score
No data
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected

Timeline

28 Apr 2026, 21:15
Published
Vulnerability first disclosed

Description

Snap One WattBox 800 and 820 series firmware versions prior to 2.10.0.0 contain undisclosed diagnostic HTTP endpoints that require only the device MAC address and service tag for authentication, both of which are printed in plaintext on the physical device label. Attackers with access to the device label or documentation containing these values can authenticate to the several endpoints and execute arbitrary commands as root on the device.

CVSS Metrics

  • v4.0CRITICALScore: 9.2CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
  • v4.0CRITICALScore: 9.2CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Techniques & Countermeasures

  • CWE-798Use of Hard-coded Credentials

    The product contains hard-coded credentials, such as a password or cryptographic key.

  • CWE-912Hidden Functionality

    The product contains functionality that is not documented, not part of the specification, and not accessible through an interface or command sequence that is obvious to the product's users or administrators.

Affected Systems

  • snap one, llcwattbox 800

    < 2.10.0.0

  • snap one, llcwattbox 820

    < 2.10.0.0

References (1)