CVE-2026-41446 illustrates a recurring anti-pattern in professional IoT: undocumented diagnostic HTTP endpoints whose only "authentication" relies on the MAC address and a service tag… both printed in plaintext on the device's physical label. Affecting Snap One WattBox 800 and 820 network PDUs on firmware older than 2.10.0.0, this vulnerability lets anyone with visual or photographic access to the label execute arbitrary commands as root remotely.
Technical Details
WattBoxes are network-managed Power Distribution Units, widely used in AV/IT racks, enterprise data centers, and high-end residential installations (Crestron/Lutron integration). The firmware ships with undocumented diagnostic HTTP endpoints, reachable on the standard admin port, whose authentication consists of just two values:
- The device's MAC address (12 hex characters)
- The service tag (a short alphanumeric string)
Both are printed in plaintext on the physical label stuck to the device, and frequently appear in:
- Rack photos posted on LinkedIn / specialty forums
- Poorly protected internal documentation (Confluence, Sharepoint with weak ACLs)
- Stickers left on packaging in receiving areas
- Inventory reports emailed to customers/integrators
Exploitation is therefore possible not only by an attacker with physical access, but also by anyone holding a legible photo of the label.
Affected endpoints
Snap One has not published the full endpoint paths, but the advisory states they enable arbitrary command execution as root on the embedded OS.
Characteristics
| Field | Value |
|---|---|
| CVSS 3.1 | 9.8 (CRITICAL) |
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| CWE | CWE-798 (Use of Hard-coded Credentials) + CWE-489 (Active Debug Code) |
| Authentication | None in the classical sense — info physically printed |
| Privileges obtained | root on the firmware |
Affected Products and Versions
| Product | Affected firmware | Patched version |
|---|---|---|
| WattBox 800 series | < 2.10.0.0 | 2.10.0.0 |
| WattBox 820 series | < 2.10.0.0 | 2.10.0.0 |
Other WattBox series (150, 250, 700) aren't mentioned in the official advisory — check with the vendor if you operate those models.
Exploitation and Impact
Realistic attack scenarios
Scenario 1 — Rack photo
A subcontractor posts a before/after photo from work in a customer rack. The WattBox label is legible. An attacker then identifies the device's IP (Shodan, targeted scan on the organization's range) and exploits the backdoor.
Scenario 2 — Leaked internal documentation
An asset inventory is exported as CSV with MAC addresses and service tags for billing. The file ends up on an open Confluence or weakly protected SMB share. Anyone reaching it can exploit the matching WattBoxes.
Scenario 3 — Brief physical access
A visitor or contractor with very limited access (e.g. cleaning staff) takes a photo of the labels in seconds. No further interaction needed.
Impact
- Power outage: an attacker can cut / reboot the outlets controlled by the WattBox, causing service loss on attached equipment (servers, switches, audio, video surveillance)
- Persistence: firmware modification, implant installation
- LAN pivot: WattBoxes typically sit on the management network — a prime pivot point
- Sabotage: maliciously timed reboots to maximize business impact
Detection and IOCs
Network logs
- Inbound HTTP connections to the WattBox admin port from external IPs
- Requests to undocumented paths (compare against normal usage logs)
- Unusual outbound traffic from the WattBox IP (PDUs should only talk to the monitoring server)
WattBox logs
If the firmware version supports it, enable the audit log and forward it to a SIEM. Indicators:
- Reboot / power-cut commands not aligned with the maintenance calendar
- Configuration changes outside change windows
- Access from non-allowlisted IPs
Physical verification
Audit the chain of custody for the labels:
- How many people have had access to the labels since installation?
- Are there historical inventory photos with the label visible?
- Has the service tag been shared via email / ticketing?
Mitigation and Patch
Immediate action: update
Firmware 2.10.0.0 or later fixes the vulnerability. Generic procedure:
- Download the firmware from the Snap One portal
- Log into the WattBox web UI
- Maintenance → Firmware → Upload firmware → reboot
Workaround if the upgrade is delayed
- Network isolation: place all WattBoxes on a strict management VLAN, no internet access, only reachable from the monitoring server
- Access ACL: limit access to the HTTP admin port to monitoring-server IPs only
- Service tag rotation: if the new firmware allows it, regenerate all service tags after upgrade (any photographed values become obsolete)
Long-term hardening
- Conceal or remove the physical labels or cover the sensitive values (MAC + tag) with an opaque sticker after installation, keeping a secured offline copy
- Revise photography policies in sensitive technical zones (no photos, mandatory reporting)
- Periodically audit inventory exports to ensure they no longer contain service tags
Why Continuous Monitoring of IoT Matters
Professional IoT (PDUs, UPSes, AV-over-IP gear, HVAC controllers) is massively present in enterprise infrastructure but largely absent from traditional vulnerability inventories. CVEs like CVE-2026-41446, exploiting questionable design rather than classic bugs, are precisely the ones generic scanners miss.
With cveo.tech, inventory your IoT and infrastructure devices alongside your critical servers and get automatic alerts when a major CVE targets one of your exact versions — including for niche vendors that classic scanning tools ignore.