eNet SMART HOME server lets users reset admin

Vendor-confirmed - CVE-2026-26368 is a high privilege escalation in eNet SMART HOME server versions 2.2.1 and 2.3.1 that lets any low-privilege user reset any admin’s password, granting complete server takeover. Apply the vendor’s security patch immediately.

Overview

A critical security flaw has been identified in the eNet SMART HOME server software. This vulnerability allows a user with a standard, low-privilege account to reset the password of any other user on the system, including administrators, without permission or knowledge of the current password.

Vulnerability Details

The vulnerability exists in the resetUserPassword function of the server’s JSON-RPC interface. This function, accessible at the /jsonrpc/management endpoint, fails to verify if the user making the request has the proper authorization. In software versions 2.2.1 and 2.3.1, any user who is logged in-even with the lowest privileges (UG_USER)-can send a specially crafted request to change the password for accounts belonging to high-privilege groups like UG_ADMIN and UG_SUPER_ADMIN.

Impact

The impact of this vulnerability is severe. A malicious actor with any valid user account can:

• Take over administrative accounts, granting them full control of the eNet SMART HOME server.
• Escalate privileges permanently, as the password change is persistent.
• Disrupt system operations, lock out legitimate administrators, and potentially access or manipulate connected smart home devices and sensitive data. This constitutes a complete breach of the system’s access controls.

Affected Products

• eNet SMART HOME server version 2.2.1
• eNet SMART HOME server version 2.3.1 Other versions may also be affected and should be verified.

Remediation and Mitigation

Immediate Action is Required. If you are running an affected version, you should:

1. Apply an Official Update: Contact the vendor (eNet) immediately to obtain a patched version of the software. Apply the update as soon as it is available. This is the only complete solution.

2. Isolate the System (If Patching is Delayed):

   • Restrict network access to the eNet server’s management interface (port 80/443) to only trusted, necessary administrative IP addresses using firewall rules.
   • Place the server on a segregated network VLAN, isolated from general user and critical infrastructure networks.

3. Review and Monitor:

   • Audit all user accounts, especially administrative ones, for any unauthorized changes. Reset passwords for all administrative accounts from a secure, uncompromised system.
   • Closely monitor system and authentication logs for any unusual password reset activity or logins from unexpected locations.

Disclaimer: The mitigation steps are temporary measures. The security of the system cannot be guaranteed until the official vendor patch is applied.