Enet Smart Home
Monthly
eNet SMART HOME server has a privilege escalation vulnerability enabling low-privileged users to gain admin access to the home automation system.
eNet Smart Home server versions 2.2.1 and 2.3.1 suffer from missing authorization checks in the resetUserPassword JSON-RPC method, allowing any authenticated low-privileged user to reset passwords for administrative accounts without proper verification. Public exploit code exists for this vulnerability, enabling attackers to achieve immediate privilege escalation and gain full administrative control over the smart home system. No patch is currently available, leaving deployed instances vulnerable to account takeover attacks.
eNet Smart Home server versions 2.2.1 and 2.3.1 allow authenticated users to delete arbitrary user accounts through an authorization bypass in the deleteUserAccount JSON-RPC method. Any low-privileged user can submit a crafted request to remove other accounts without elevated permissions, and public exploit code exists for this vulnerability. The impact includes unauthorized account deletion and potential denial of service, with no patch currently available.
eNet SMART HOME server ships with default credentials (user:user, admin:admin) (CVSS 9.8) enabling immediate administrative access to the smart home system.
eNet SMART HOME server has a privilege escalation vulnerability enabling low-privileged users to gain admin access to the home automation system.
eNet Smart Home server versions 2.2.1 and 2.3.1 suffer from missing authorization checks in the resetUserPassword JSON-RPC method, allowing any authenticated low-privileged user to reset passwords for administrative accounts without proper verification. Public exploit code exists for this vulnerability, enabling attackers to achieve immediate privilege escalation and gain full administrative control over the smart home system. No patch is currently available, leaving deployed instances vulnerable to account takeover attacks.
eNet Smart Home server versions 2.2.1 and 2.3.1 allow authenticated users to delete arbitrary user accounts through an authorization bypass in the deleteUserAccount JSON-RPC method. Any low-privileged user can submit a crafted request to remove other accounts without elevated permissions, and public exploit code exists for this vulnerability. The impact includes unauthorized account deletion and potential denial of service, with no patch currently available.
eNet SMART HOME server ships with default credentials (user:user, admin:admin) (CVSS 9.8) enabling immediate administrative access to the smart home system.