CRITICALVulnerability
Verified
Global

NVD CRITICAL: CVE-2026-9141 — Taiko AG1000-01A SMS Alert Gateway Rev 7.3 and Rev 8 contains an authentication ...

·Source: NIST NVD

Updated:

Executive Summary

Taiko AG1000-01A SMS Alert Gateway Rev 7.3 and Rev 8 contains an authentication bypass vulnerability in the embedded web configuration interface that allows unauthenticated attackers to access internal application pages without any session management or server-side authentication checks. Attackers with network access can directly request internal resources such as index.zhtml, point.zhtml, and log

Analysis

Taiko AG1000-01A SMS Alert Gateway Rev 7.3 and Rev 8 contains an authentication bypass vulnerability in the embedded web configuration interface that allows unauthenticated attackers to access internal application pages without any session management or server-side authentication checks. Attackers with network access can directly request internal resources such as index.zhtml, point.zhtml, and log.shtml to gain full administrative read and write access, enabling unauthorized modification of alarm routing, device configuration, and disruption of monitoring and control functions. CVSS Score: 9.8. Published: 2026-05-20T20:16:46.480.

Indicators of Compromise (1)

CVE (1)
CVE-2026-9141
NVDMITRE CVE
Source Attribution

Originally published by NIST NVD on May 20, 2026. Verified by: NIST.

Related Threats

MEDIUMVulnerability

Cyber Pros Can't Decide If AI Is a Good or a Bad Thing

There is nothing cybersecurity professionals are more excited about, and nothing they fear more, than AI.

Dark Reading
MEDIUMVulnerability

Fake Android Apps Commit Carrier Billing Fraud for Premium Svcs.

The disguised apps use WebView automation, JavaScript injection, and OTP interception to avoid detection and complete fraudulent subscriptions.

Dark Reading
CRITICALVulnerability

NVD CRITICAL: CVE-2026-9139 — Taiko AG1000-01A SMS Alert Gateway Rev 7.3 and Rev 8 contains a hard-coded crede...

Taiko AG1000-01A SMS Alert Gateway Rev 7.3 and Rev 8 contains a hard-coded credential vulnerability in the embedded web configuration interface where authentication is implemented entirely in client-side JavaScript in login.zhtml, exposing static plaintext credentials in the page source. Unauthenticated attackers with network access can recover administrative credentials directly from the client-s

CVE-2026-9139
NIST NVD