Skip to main content

Taiko AG1000-01A CVE-2026-9141

| EUVDEUVD-2026-31189 CRITICAL
Missing Authentication for Critical Function (CWE-306)
2026-05-20 VulnCheck GHSA-c89f-cvmv-ffjf
9.3
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
9.3 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
May 20, 2026 - 20:30 vuln.today
CVSS changed
May 20, 2026 - 20:22 NVD
9.8 (CRITICAL) 9.3 (CRITICAL)

DescriptionCVE.org

Taiko AG1000-01A SMS Alert Gateway Rev 7.3 and Rev 8 contains an authentication bypass vulnerability in the embedded web configuration interface that allows unauthenticated attackers to access internal application pages without any session management or server-side authentication checks. Attackers with network access can directly request internal resources such as index.zhtml, point.zhtml, and log.shtml to gain full administrative read and write access, enabling unauthorized modification of alarm routing, device configuration, and disruption of monitoring and control functions.

AnalysisAI

Authentication bypass in Taiko AG1000-01A SMS Alert Gateway (Rev 7.3 and Rev 8) lets remote attackers reach the embedded web configuration interface without any login, granting full administrative read and write access over alarm routing and device settings. The CVSS 4.0 score of 9.3 reflects unauthenticated network exploitation with high impact on confidentiality, integrity, and availability, and a public technical write-up exists on Medium alongside a VulnCheck advisory, though no public exploit identified at time of analysis.

Technical ContextAI

The AG1000-01A is an SMS alert/alarm gateway appliance commonly deployed in industrial monitoring, telemetry, and facility-management environments to relay alarm events from connected sensors and control points to operators via SMS. Its administrative interface is an embedded HTTP server serving Zhuhai/embedded-style pages (.zhtml, .shtml) such as index.zhtml, point.zhtml, and log.shtml. The root cause is CWE-306 (Missing Authentication for Critical Function): these internal pages are reachable directly by URL without any server-side session validation, meaning the firmware never enforces an authentication check on requests for protected resources - login is effectively a client-side or front-page-only construct that can be bypassed by requesting the back-end pages directly.

RemediationAI

No vendor-released patch identified at time of analysis, so remediation must rely on compensating controls until Taiko publishes fixed firmware. Place affected AG1000-01A gateways on an isolated management VLAN and restrict inbound access to the web interface (typically TCP/80 and TCP/443) to a small allowlist of administrator workstations via firewall or ACL - this is the highest-value control since the bypass requires only network reachability. Front the device with a reverse proxy that enforces authentication (HTTP basic, client certificate, or VPN-only access) before requests reach the embedded server, accepting the trade-off that legitimate operators must reauthenticate at the proxy and any automated SMS-triggering integrations must be updated with new credentials. Monitor the device's access logs and upstream firewall for requests to index.zhtml, point.zhtml, and log.shtml from unexpected source IPs as an indicator of exploitation, and consult https://www.vulncheck.com/advisories/taiko-ag1000-01a-rev-8-authentication-bypass-via-web-interface for further vendor coordination updates.

Share

CVE-2026-9141 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy