Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Taiko AG1000-01A SMS Alert Gateway Rev 7.3 and Rev 8 contains an authentication bypass vulnerability in the embedded web configuration interface that allows unauthenticated attackers to access internal application pages without any session management or server-side authentication checks. Attackers with network access can directly request internal resources such as index.zhtml, point.zhtml, and log.shtml to gain full administrative read and write access, enabling unauthorized modification of alarm routing, device configuration, and disruption of monitoring and control functions.
AnalysisAI
Authentication bypass in Taiko AG1000-01A SMS Alert Gateway (Rev 7.3 and Rev 8) lets remote attackers reach the embedded web configuration interface without any login, granting full administrative read and write access over alarm routing and device settings. The CVSS 4.0 score of 9.3 reflects unauthenticated network exploitation with high impact on confidentiality, integrity, and availability, and a public technical write-up exists on Medium alongside a VulnCheck advisory, though no public exploit identified at time of analysis.
Technical ContextAI
The AG1000-01A is an SMS alert/alarm gateway appliance commonly deployed in industrial monitoring, telemetry, and facility-management environments to relay alarm events from connected sensors and control points to operators via SMS. Its administrative interface is an embedded HTTP server serving Zhuhai/embedded-style pages (.zhtml, .shtml) such as index.zhtml, point.zhtml, and log.shtml. The root cause is CWE-306 (Missing Authentication for Critical Function): these internal pages are reachable directly by URL without any server-side session validation, meaning the firmware never enforces an authentication check on requests for protected resources - login is effectively a client-side or front-page-only construct that can be bypassed by requesting the back-end pages directly.
RemediationAI
No vendor-released patch identified at time of analysis, so remediation must rely on compensating controls until Taiko publishes fixed firmware. Place affected AG1000-01A gateways on an isolated management VLAN and restrict inbound access to the web interface (typically TCP/80 and TCP/443) to a small allowlist of administrator workstations via firewall or ACL - this is the highest-value control since the bypass requires only network reachability. Front the device with a reverse proxy that enforces authentication (HTTP basic, client certificate, or VPN-only access) before requests reach the embedded server, accepting the trade-off that legitimate operators must reauthenticate at the proxy and any automated SMS-triggering integrations must be updated with new credentials. Monitor the device's access logs and upstream firewall for requests to index.zhtml, point.zhtml, and log.shtml from unexpected source IPs as an indicator of exploitation, and consult https://www.vulncheck.com/advisories/taiko-ag1000-01a-rev-8-authentication-bypass-via-web-interface for further vendor coordination updates.
More in Ag1000 01A Sms Alert Gateway
View allAuthentication bypass in the Taiko AG1000-01A SMS Alert Gateway (Rev 7.3 and Rev 8) allows unauthenticated remote attack
Stored cross-site scripting in the Taiko AG1000-01A SMS Alert Gateway (Rev 7.3 and Rev 8) lets authenticated low-privile
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31189
GHSA-c89f-cvmv-ffjf