Cyber Posture

CVE-2026-9139

CriticalPublic PoC
Microsoft: not affectedMSmacOS: not affectedMacLinux: not affectedLnxMobile: not affectedMobNetwork: not affectedNetApplication: not affectedAppOther: affectedOth

Published: 20 May 2026

Published
20 May 2026
Modified
20 May 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score N/A
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-9139 is a critical-severity Use of Hard-coded Credentials (CWE-798) vulnerability. Its CVSS base score is 9.8 (Critical).

Operationally, it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Threat & Defense Details

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

AC-9 Previous Logon Notification
addresses: CWE-798

Enables users to notice when hard-coded credentials have been exploited for unauthorized access.

AT-3 Role-based Training
addresses: CWE-798

Security training explicitly warns against hard-coded credentials, lowering their use in systems.

IA-1 Policy and Procedures
addresses: CWE-798

Policy and procedures prohibit hard-coded credentials in favor of managed authentication.

IA-13 Identity Providers and Authorization Servers
addresses: CWE-798

External identity providers eliminate the need for hard-coded credentials in applications.

IA-5 Authenticator Management
addresses: CWE-798

Changing default authenticators prior to first use and protecting content prevents use of hard-coded credentials.

PL-9 Central Management
addresses: CWE-798

Central credential stores and rotation policies remove the need for hard-coded credentials in configuration files or code.

PM-16 Threat Awareness Program
addresses: CWE-798

Intelligence programs surface reports of campaigns that abuse hard-coded credentials in products, prompting removal or replacement and thereby reducing successful exploitation.

PM-3 Information Security and Privacy Resources
addresses: CWE-798

Planned investment enables secure credential storage and management systems instead of hard-coded credentials.

NVD Description

Taiko AG1000-01A SMS Alert Gateway Rev 7.3 and Rev 8 contains a hard-coded credential vulnerability in the embedded web configuration interface where authentication is implemented entirely in client-side JavaScript in login.zhtml, exposing static plaintext credentials in the page source. Unauthenticated…

more

attackers with network access can recover administrative credentials directly from the client-side validate() function to obtain full administrative access to the device.

Deeper analysisAI

Automated synthesis unavailable for this CVE.

Details

CWE(s)
CWE-798

EU & UK References

Regulatory context (EU CRA / NIS2 / DORA / UK NIS Regulations)

EU Cyber Resilience Act — coordinated disclosure

Critical and high-severity vulnerabilities in products with digital elements may trigger coordinated-disclosure obligations under the EU Cyber Resilience Act (CRA, Regulation 2024/2847). Manufacturers placing products on the EU market must notify ENISA and the relevant CSIRTs without undue delay once active exploitation is known.

References