Unauthenticated Reboot/Shutdown Vulnerability (CVE‑2026‑26235) Enables DoS on JUNG Smart Visu Server 1.1.1050
What Happened — A publicly‑available exploit (EDB‑52536) demonstrates that any unauthenticated user can trigger the /cgi-bin/reboot.sh or /cgi-bin/shutdown.sh endpoints on JUNG Smart Visu Server ≤ 1.1.1050, causing an immediate reboot or power‑off of the device. The flaw is classified as CWE‑306 (Missing Authentication) and is tracked as CVE‑2026‑26235.
Why It Matters for TPRM —
- An attacker can induce a denial‑of‑service on critical industrial‑control visualisation nodes without needing credentials.
- Service interruption can cascade to production lines, building‑automation systems, or energy‑grid monitoring, inflating third‑party risk exposure.
- The vulnerability is exploitable over the network, making remote attackers a realistic threat vector.
Who Is Affected — Manufacturing & industrial automation firms, energy utilities, building‑management service providers, and any organization that deploys JUNG Smart Visu Server (on‑prem embedded Linux).
Recommended Actions —
- Verify the version of Smart Visu Server in use; upgrade to a patched release (≥ 1.1.1051) if available.
- If immediate upgrade is not possible, block external access to
/cgi-bin/reboot.shand/cgi-bin/shutdown.shvia firewall or reverse‑proxy rules. - Conduct a configuration audit to ensure authentication is enforced on all management endpoints.
- Review SLAs with the vendor for incident‑response timelines and confirm that remediation commitments are documented.
Technical Notes — The exploit sends an unauthenticated HTTP POST to the vulnerable endpoint, optionally over HTTPS with certificate verification disabled. No payload is required; the server responds with HTTP 200/302, indicating the command was accepted. The issue stems from missing authentication checks (CWE‑306) on critical system scripts. Source: Exploit‑DB 52536