DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-26235: Smart Home, Dumb Security: The JUNG Smart Visu Server Remote Kill Switch

#security #cve #cybersecurity

Smart Home, Dumb Security: The JUNG Smart Visu Server Remote Kill Switch

Vulnerability ID: CVE-2026-26235
CVSS Score: 8.7
Published: 2026-02-12

In the world of high-end home automation, the JUNG Smart Visu Server is the brain connecting your KNX bus, Philips Hue, and Sonos systems. But thanks to a glaring oversight in its REST API, it's also a ticking time bomb. CVE-2026-26235 reveals that this 'smart' server exposes critical system controls—specifically reboot and shutdown functions—to the entire network without a shred of authentication. Any unauthenticated attacker can effectively pull the plug on the building's automation logic with a single HTTP packet, turning a smart home into a bricked house.

TL;DR

Unauthenticated Remote Denial of Service in JUNG Smart Visu Server 1.1.1050 via the REST API. An attacker can remotely reboot or shut down the device using a simple JSON POST request.

⚠️ Exploit Status: POC

Technical Details

  • CWE: CWE-306: Missing Authentication
  • CVSS v4.0: 8.7 (High)
  • Attack Vector: Network (Remote)
  • Impact: Denial of Service (DoS)
  • Exploit Status: PoC Publicly Available
  • Vendor Status: Unpatched (0-day)

Affected Systems

  • JUNG Smart Visu Server 1.1.1050
  • Smart Visu Server: = 1.1.1050 (Fixed in: None)

Exploit Details

  • Zero Science Lab: Bash script demonstrating remote reboot and halt commands via curl.

Mitigation Strategies

  • Network Segmentation
  • Reverse Proxy Authentication
  • Access Control Lists (ACLs)

Remediation Steps:

  1. Isolate the JUNG Smart Visu Server on a restricted Management VLAN.
  2. Block all external access to port 8080 (Jetty) at the firewall level.
  3. Implement a Reverse Proxy (Nginx/Apache) in front of the device to enforce Basic Authentication.
  4. Monitor network traffic for POST requests to /rest/items/liteserver_LiteServer_1_systemControl.

References

Read the full report for CVE-2026-26235 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)