关键漏洞信息 Advisory ID: ZSL-2026-5972 Title: eNet SMART HOME server 2.3.1 (deleteUserAccount) Arbitrary User Deletion Type: Local/Remote Impact: System Access, DoS, Privilege Escalation Risk: 5/5 Release Date: 14.02.2026 Summary The eNet SMART HOME system ships with default credentials that remain active after installation and commissioning without enforcing a mandatory password change. Vendor Gira Giersiepen GmbH & Co. KG Affected Version 2.3.1 (46841) 2.2.1 (46056) Tested On GNU/Linux 4.4.15 (ARMv7 revision 5) Jetty(9.2.z-SNAPSHOT) Vendor Status 07.02.2026: Vulnerability discovered. 07.02.2026: Vendor contacted. 13.02.2026: No response from the vendor. 14.02.2026: Public security advisory released. PoC enet_default.txt Credits Vulnerability discovered by Gjoko Krstic - References 1. https://www.zeroscience.mk/en/vulnerabilities/ZSL-2026-5975.php 2. https://packetstorm.news/files/id/215699/ 3. https://www.vulncheck.com/advisories/jung-enet-smart-home-server-use-of-default-credentials 4. https://www.cve.org/CVERecord?id=CVE-2026-26366 Changelog [14.02.2026] - Initial release [17.02.2026] - Added reference [2], [3] and [4]