PT-2026-35820 · Snap One · Wattbox 800+1
Published
2026-04-28
·
Updated
2026-04-30
·
CVE-2026-41446
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Snap One WattBox 800 and 820 series versions prior to 2.10.0.0
Description
Undisclosed diagnostic HTTP endpoints require only the device MAC address and service tag for authentication. Both values are printed in plaintext on the physical device label. An attacker with access to the device label or documentation containing these values can authenticate to several endpoints and execute arbitrary commands as root on the device.
Recommendations
Update to firmware version 2.10.0.0.
Fix
RCE
Using Hardcoded Credentials
Hidden Functionality
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Wattbox 800
Wattbox 820