eNet SMART HOME Default Credentials RCE (CVE-2026-26366)

Patch now - CVE-2026-26366 is a critical authentication bypass in eNet SMART HOME Server 2.2.1 and 2.3.1 that grants unauthenticated attackers full administrative control using well-known default credentials. Administrators must immediately change all default passwords to prevent remote takeover of smart home devices.

Security Advisory: Critical Default Credential Vulnerability in eNet SMART HOME Server

Overview

A critical security vulnerability exists in the eNet SMART HOME server software, versions 2.2.1 and 2.3.1. The software is shipped with active, well-known default usernames and passwords. These credentials are not disabled during the initial setup process, and the system does not force users to change them. This allows anyone with network access to the server to log in with full administrative privileges.

Vulnerability Details (CVE-2026-26366)

The affected software versions contain two default user accounts:

• Username: user with password: user
• Username: admin with password: admin

These accounts are fully functional upon installation and remain active unless manually changed by the administrator. The absence of a mandatory password change during the commissioning process is the core failure, leaving systems in a known, vulnerable state.

Potential Impact

The impact of this vulnerability is severe. An unauthenticated attacker who can reach the eNet SMART HOME server on your network can:

• Gain Full Administrative Control: Log in and manipulate all smart home devices and settings.
• Access Sensitive Data: View configuration details, user information, and device logs.
• Disrupt Home Operations: Remotely lock/unlock doors, control lighting, thermostats, security cameras, and other connected appliances.
• Pivot to Other Systems: Use the compromised server as a foothold to attack other devices on the local network.

This poses significant safety, privacy, and security risks to the home environment and its occupants.

Remediation and Mitigation Steps

Immediate action is required for all administrators running the affected software.

1. Primary Remediation (Mandatory):

• Change All Default Passwords Immediately. Log into the eNet SMART HOME server interface and change the passwords for both the admin and user accounts to strong, unique passwords. This is the most critical step.

2. Network Security Mitigations:

• Restrict Network Access: Ensure the eNet SMART HOME server is not directly exposed to the public internet. It should be placed behind a firewall on a secured internal network segment.
• Implement Network Segmentation: Consider placing IoT and smart home devices on a separate VLAN isolated from primary business or personal computing networks.

3. General Security Hygiene:

• Monitor for Updates: Regularly check with the vendor (eNet) for a patched software version that removes these default credentials or enforces a password change on first use. Apply any official patches promptly.
• Conduct Regular Audits: Periodically review all IoT and network device configurations for default or weak credentials.

Disclaimer: This advisory is based on publicly available information. Organizations should validate this information against their own systems and monitoring.