CVE-2026-26369
CRITICALCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3Description
eNet SMART HOME server 2.2.1 and 2.3.1 contains a privilege escalation vulnerability due to insufficient authorization checks in the setUserGroup JSON-RPC method. A low-privileged user (UG_USER) can send a crafted POST request to /jsonrpc/management specifying their own username to elevate their account to the UG_ADMIN group, bypassing intended access controls and gaining administrative capabilities such as modifying device configurations, network settings, and other smart home system functions.
Analysis
eNet SMART HOME server has a privilege escalation vulnerability enabling low-privileged users to gain admin access to the home automation system.
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify and inventory all eNet SMART HOME servers running versions 2.2.1 or 2.3.1; isolate affected systems from production networks or disable JSON-RPC access if operationally feasible; establish incident response readiness. Within 7 days: Implement network segmentation to restrict access to affected servers; deploy WAF rules to block setUserGroup JSON-RPC method calls; monitor logs for exploitation attempts. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today