eNet SMART HOME deleteUserAccount 任意用户删除漏洞 (CVE-2026-26367)

Title: eNet SMART HOME server 2.3.1 (deleteUserAccount) Arbitrary User Deletion Advisory ID: ZSL-2026-5973 Type: Local/Remote Impact: Denial of Service, Privilege Escalation, Security Bypass Risk: (4/5) Release Date: 14.02.2026 Summary: The eNet SMART HOME system contains an authorization weakness in the deleteUserAccount JSON-RPC method that permits any authenticated low-privileged user (UG_USER) to delete arbitrary user accounts, except for the built-in admin account. This can lead to unauthorized user management actions, disruption of operations, and potential concealment of malicious activity. Vendor: Gira Giersiepen GmbH & Co. KG Affected Version: 2.3.1 (46841), 2.2.1 (46056) Tested On: GNU/Linux 4.4.15 (ARMv7 revision 5), Jetty(9.2.z-SNAPSHOT) Vendor Status: - [07.02.2026] Vulnerability discovered. - [07.02.2026] Vendor contacted. - [13.02.2026] No response from the vendor. - [14.02.2026] Public security advisory released. PoC: enet_usrdel.txt Credits: Vulnerability discovered by Gjoko Krstic - References: - [1] https://www.zeroscience.mk/en/vulnerabilities/ZSL-2026-5975.php - [2] https://packetstorm.security.files/id/215700/ - [3] https://www.vulncheck.com/advisories/jung-enet-smart-home-server-arbitrary-user-deletion-via-deleteuseraccount - [4] https://www.cve.org/CVERecord?id=CVE-2026-26367 Changelog: - [14.02.2026] - Initial release - [17.02.2026] - Added reference [2], [3] and [4]

目标达成 感谢每一位支持者 — 我们达成了 100% 目标！

eNet SMART HOME deleteUserAccount 任意用户删除漏洞 (CVE-2026-26367)

目标达成感谢每一位支持者 — 我们达成了 100% 目标！