Skip to content
Threat Feed
critical advisory

Taiko AG1000-01A SMS Alert Gateway Authentication Bypass (CVE-2026-9141)

Taiko AG1000-01A SMS Alert Gateway Rev 7.3 and Rev 8 contains an authentication bypass vulnerability (CVE-2026-9141) in the embedded web configuration interface, allowing unauthenticated attackers to access internal application pages, modify alarm routing, and disrupt monitoring and control functions.

Taiko AG1000-01A SMS Alert Gateway Rev 7.3 and Rev 8 is vulnerable to an authentication bypass (CVE-2026-9141). The embedded web configuration interface lacks proper session management and server-side authentication checks. This vulnerability allows unauthenticated attackers with network access to bypass authentication and directly access internal application pages. Successful exploitation grants attackers full administrative read and write access to the device. This allows them to modify alarm routing, device configuration, and disrupt monitoring and control functions.

Attack Chain

  1. The attacker gains network access to the Taiko AG1000-01A device.
  2. The attacker sends an HTTP GET request to the device’s web interface.
  3. The attacker bypasses authentication by directly requesting internal resources such as /index.zhtml, /point.zhtml, or /log.shtml.
  4. The web server, lacking authentication checks, serves the requested internal resource to the unauthenticated attacker.
  5. The attacker analyzes the exposed configuration data in index.zhtml to understand device settings.
  6. The attacker modifies alarm routing rules via point.zhtml, redirecting alerts to attacker-controlled systems.
  7. The attacker alters device configuration settings, potentially disabling security features or adding malicious scripts via point.zhtml.
  8. The attacker disrupts monitoring and control functions, leading to potential operational outages or safety incidents.

Impact

Successful exploitation of CVE-2026-9141 allows unauthenticated attackers to gain full administrative access to the Taiko AG1000-01A SMS Alert Gateway. This can lead to unauthorized modification of alarm routing, device configuration, and disruption of monitoring and control functions. The CVSS v3.1 base score for this vulnerability is 9.8, indicating a critical risk. Affected sectors include any organizations using this device for critical alerting, such as industrial control systems or emergency notification systems.

Recommendation

  • Deploy the Sigma rule detecting direct access to sensitive ZHTML pages to identify potential exploitation attempts (see rules section).
  • Restrict network access to the Taiko AG1000-01A web interface to authorized personnel only using firewall rules (see network-based rule in rules section).
  • Monitor web server logs for requests to sensitive files (index.zhtml, point.zhtml, log.shtml) without prior authentication.

Detection coverage 2

Detect CVE-2026-9141 Exploitation — Direct Access to Taiko AG1000-01A ZHTML Pages

high

Detects CVE-2026-9141 exploitation — direct HTTP GET requests to sensitive Taiko AG1000-01A SMS Alert Gateway ZHTML configuration pages without authentication.

sigma tactics: initial_access techniques: T1190 sources: webserver

Detect CVE-2026-9141 Exploitation — Network-Based Access to Taiko Device

medium

Detects CVE-2026-9141 exploitation — monitors network connections to the Taiko device from unexpected source IPs.

sigma tactics: initial_access techniques: T1190 sources: network_connection, windows

Detection queries are available on the platform. Get full rules →