eNet SMART HOME Server Missing Authorization Vulnerability in Password Reset Method Allows Account Takeover

Vulnerability

A missing authorization vulnerability has been identified in eNet SMART HOME server versions 2.2.1 and 2.3.1. The issue resides in the resetUserPassword JSON-RPC method, where any authenticated low-privileged user can reset the passwords of arbitrary accounts, including those of administrators, without needing the current password or appropriate privileges. By sending a crafted JSON-RPC request to the management endpoint, an attacker can overwrite existing credentials, leading to unauthorized account access with full administrative rights and persistent privilege escalation.

Impact

Exploitation of this vulnerability allows for unauthorized account access, with full administrative rights, and persistent privilege escalation.

Added: Feb 15, 2026, 4:18 PM

Updated: Feb 15, 2026, 4:18 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

6.6

remediation

0.0

relevance

3.1

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

6.6

remediation

0.0

relevance

3.1

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

eNet SMART HOME Server Missing Authorization Vulnerability in Password Reset Method Allows Account Takeover

Vulnerability

Impact

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating