Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Taiko AG1000-01A SMS Alert Gateway Rev 7.3 and Rev 8 contains a hard-coded credential vulnerability in the embedded web configuration interface where authentication is implemented entirely in client-side JavaScript in login.zhtml, exposing static plaintext credentials in the page source. Unauthenticated attackers with network access can recover administrative credentials directly from the client-side validate() function to obtain full administrative access to the device.
AnalysisAI
Authentication bypass in the Taiko AG1000-01A SMS Alert Gateway (Rev 7.3 and Rev 8) allows unauthenticated remote attackers to recover hard-coded administrative credentials by viewing the page source of login.zhtml, because the validate() function performs credential checking entirely client-side. With a CVSS 4.0 base score of 9.3 (AV:N/AC:L/PR:N/UI:N) and a VulnCheck advisory plus a public Medium write-up, the flaw is trivially exploitable, though no public exploit identified at time of analysis as a packaged tool and the device is not currently listed in CISA KEV.
Technical ContextAI
The AG1000-01A is a Taiko Network Communications SMS alert gateway appliance whose administrative interface is delivered through an embedded zhtml-based web server. The root cause is CWE-798 (Use of Hard-coded Credentials) compounded by a client-side-only authentication design: the login page (login.zhtml) ships a JavaScript validate() function that compares user-supplied values against literal strings embedded in the script, so the static plaintext username/password pair is visible to anyone who fetches the page. Because no server-side check enforces the credential, the embedded secret cannot be rotated by an operator and is shared across every deployed unit of the affected revisions identified by CPE taiko_network_communications_pte_ltd.:ag1000-01a_sms_alert_gateway.
RemediationAI
No vendor-released patch identified at time of analysis; the references point only to VulnCheck and a researcher write-up rather than a Taiko firmware update, so operators should contact Taiko Network Communications directly to confirm whether a fixed revision beyond Rev 8 exists. As compensating controls, restrict the device's web management interface to a dedicated management VLAN or jump host and block inbound TCP access from untrusted networks at the perimeter firewall, accepting that legitimate remote administrators will need VPN access; place the gateway behind a reverse proxy that enforces its own authentication layer in front of login.zhtml, noting this does not remove the embedded credential but raises the exploitation bar; and audit logs for any successful administrative session originating from unexpected source addresses. Consult the VulnCheck advisory (https://www.vulncheck.com/advisories/taiko-ag1000-01a-rev-8-hard-coded-credentials-via-login-zhtml) for any updated vendor guidance.
More in Ag1000 01A Sms Alert Gateway
View allAuthentication bypass in Taiko AG1000-01A SMS Alert Gateway (Rev 7.3 and Rev 8) lets remote attackers reach the embedded
Stored cross-site scripting in the Taiko AG1000-01A SMS Alert Gateway (Rev 7.3 and Rev 8) lets authenticated low-privile
Same weakness CWE-798 – Use of Hard-coded Credentials
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31179
GHSA-jj2w-phrm-32r8