{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/taiko/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.6,"id":"CVE-2026-9144"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["AG1000-01A SMS Alert Gateway"],"_cs_severities":["medium"],"_cs_tags":["xss","stored_xss","CVE-2026-9144","web_application"],"_cs_type":"advisory","_cs_vendors":["Taiko"],"content_html":"\u003cp\u003eThe Taiko AG1000-01A SMS Alert Gateway Rev 7.3 and Rev 8 contains a stored cross-site scripting (XSS) vulnerability, identified as CVE-2026-9144, within its embedded web configuration interface. This flaw enables authenticated attackers to inject and execute persistent JavaScript code within the administrative dashboard. The attack involves bypassing front-end length restrictions by fragmenting malicious payloads across multiple administrative form fields, using techniques like JavaScript comments and template literals to concatenate executable script fragments. These fragments are then rendered in administrative dashboard views, such as index.zhtml, leading to persistent script execution whenever an administrator accesses the affected pages. This vulnerability poses a significant risk to the confidentiality and integrity of the SMS Alert Gateway.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker authenticates to the Taiko AG1000-01A SMS Alert Gateway web configuration interface.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies multiple administrative form fields that allow input.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious JavaScript payload, designed to execute arbitrary commands or exfiltrate sensitive data.\u003c/li\u003e\n\u003cli\u003eThe attacker fragments the payload into smaller chunks, using JavaScript comments (\u003ccode\u003e/* ... */\u003c/code\u003e) and template literals to bypass front-end length restrictions on the form fields.\u003c/li\u003e\n\u003cli\u003eThe attacker submits the fragmented payload across multiple administrative form fields.\u003c/li\u003e\n\u003cli\u003eWhen an administrator accesses a dashboard view such as \u003ccode\u003eindex.zhtml\u003c/code\u003e, the fragmented JavaScript payload is reassembled and executed within the administrator\u0026rsquo;s browser.\u003c/li\u003e\n\u003cli\u003eThe executed JavaScript can perform actions such as stealing administrator cookies, modifying configuration settings, or launching further attacks against the gateway.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves persistent code execution on the SMS Alert Gateway administrative interface, potentially compromising the entire system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this stored XSS vulnerability (CVE-2026-9144) could allow an attacker to compromise the Taiko AG1000-01A SMS Alert Gateway. The attacker could gain unauthorized access to sensitive configuration data, modify alert settings, or even use the gateway as a platform for launching further attacks. Given the nature of SMS alert gateways, a compromised device could be used to send malicious SMS messages, leading to potential phishing or malware distribution campaigns.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Taiko AG1000-01A Fragmented XSS Attempt\u003c/code\u003e to detect attempts to inject malicious JavaScript by fragmenting payloads across multiple administrative form fields in web server logs.\u003c/li\u003e\n\u003cli\u003eApply input validation and output encoding to all administrative form fields on the Taiko AG1000-01A SMS Alert Gateway to prevent XSS attacks.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious activity related to the web configuration interface, focusing on requests with fragmented JavaScript payloads.\u003c/li\u003e\n\u003cli\u003eApply any available patches or updates from Taiko to address CVE-2026-9144.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-20T20:19:00Z","date_published":"2026-05-20T20:19:00Z","id":"https://feed.craftedsignal.io/briefs/2026-05-taiko-xss/","summary":"Taiko AG1000-01A SMS Alert Gateway Rev 7.3 and Rev 8 is vulnerable to stored cross-site scripting (CVE-2026-9144) in the web configuration interface, allowing authenticated attackers to execute persistent JavaScript by fragmenting malicious payloads across multiple administrative form fields for persistent code execution.","title":"Taiko AG1000-01A SMS Alert Gateway Stored XSS (CVE-2026-9144)","url":"https://feed.craftedsignal.io/briefs/2026-05-taiko-xss/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2026-9141"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["AG1000-01A SMS Alert Gateway"],"_cs_severities":["critical"],"_cs_tags":["authentication-bypass","web-application","critical"],"_cs_type":"advisory","_cs_vendors":["Taiko"],"content_html":"\u003cp\u003eTaiko AG1000-01A SMS Alert Gateway Rev 7.3 and Rev 8 is vulnerable to an authentication bypass (CVE-2026-9141). The embedded web configuration interface lacks proper session management and server-side authentication checks. This vulnerability allows unauthenticated attackers with network access to bypass authentication and directly access internal application pages. Successful exploitation grants attackers full administrative read and write access to the device. This allows them to modify alarm routing, device configuration, and disrupt monitoring and control functions.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains network access to the Taiko AG1000-01A device.\u003c/li\u003e\n\u003cli\u003eThe attacker sends an HTTP GET request to the device\u0026rsquo;s web interface.\u003c/li\u003e\n\u003cli\u003eThe attacker bypasses authentication by directly requesting internal resources such as \u003ccode\u003e/index.zhtml\u003c/code\u003e, \u003ccode\u003e/point.zhtml\u003c/code\u003e, or \u003ccode\u003e/log.shtml\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe web server, lacking authentication checks, serves the requested internal resource to the unauthenticated attacker.\u003c/li\u003e\n\u003cli\u003eThe attacker analyzes the exposed configuration data in \u003ccode\u003eindex.zhtml\u003c/code\u003e to understand device settings.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies alarm routing rules via \u003ccode\u003epoint.zhtml\u003c/code\u003e, redirecting alerts to attacker-controlled systems.\u003c/li\u003e\n\u003cli\u003eThe attacker alters device configuration settings, potentially disabling security features or adding malicious scripts via \u003ccode\u003epoint.zhtml\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker disrupts monitoring and control functions, leading to potential operational outages or safety incidents.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-9141 allows unauthenticated attackers to gain full administrative access to the Taiko AG1000-01A SMS Alert Gateway. This can lead to unauthorized modification of alarm routing, device configuration, and disruption of monitoring and control functions. The CVSS v3.1 base score for this vulnerability is 9.8, indicating a critical risk. Affected sectors include any organizations using this device for critical alerting, such as industrial control systems or emergency notification systems.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule detecting direct access to sensitive ZHTML pages to identify potential exploitation attempts (see rules section).\u003c/li\u003e\n\u003cli\u003eRestrict network access to the Taiko AG1000-01A web interface to authorized personnel only using firewall rules (see network-based rule in rules section).\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for requests to sensitive files (index.zhtml, point.zhtml, log.shtml) without prior authentication.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-20T20:18:42Z","date_published":"2026-05-20T20:18:42Z","id":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-9141-taiko-auth-bypass/","summary":"Taiko AG1000-01A SMS Alert Gateway Rev 7.3 and Rev 8 contains an authentication bypass vulnerability (CVE-2026-9141) in the embedded web configuration interface, allowing unauthenticated attackers to access internal application pages, modify alarm routing, and disrupt monitoring and control functions.","title":"Taiko AG1000-01A SMS Alert Gateway Authentication Bypass (CVE-2026-9141)","url":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-9141-taiko-auth-bypass/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2026-9139"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["AG1000-01A SMS Alert Gateway"],"_cs_severities":["critical"],"_cs_tags":["cve","hardcoded-credentials","network-device"],"_cs_type":"threat","_cs_vendors":["Taiko"],"content_html":"\u003cp\u003eTaiko AG1000-01A SMS Alert Gateway Rev 7.3 and Rev 8 are vulnerable to a critical security flaw (CVE-2026-9139) due to hard-coded credentials in the device\u0026rsquo;s web configuration interface. The vulnerability stems from the authentication mechanism being implemented entirely in client-side JavaScript within the login.zhtml page. The static plaintext credentials are exposed directly in the page source, making them easily accessible to anyone with network access to the device. This vulnerability allows an unauthenticated attacker to recover administrative credentials and gain full administrative access, posing a significant risk to the device and potentially the wider network it is connected to.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains network access to the Taiko AG1000-01A SMS Alert Gateway device.\u003c/li\u003e\n\u003cli\u003eAttacker navigates to the device\u0026rsquo;s web configuration interface, typically accessible via a web browser.\u003c/li\u003e\n\u003cli\u003eThe web browser downloads the login.zhtml page containing the client-side JavaScript code.\u003c/li\u003e\n\u003cli\u003eAttacker views the page source of login.zhtml.\u003c/li\u003e\n\u003cli\u003eAttacker identifies the validate() function within the JavaScript code.\u003c/li\u003e\n\u003cli\u003eAttacker extracts the hard-coded plaintext administrative credentials from the validate() function.\u003c/li\u003e\n\u003cli\u003eAttacker uses the recovered credentials to log in to the web configuration interface as an administrator.\u003c/li\u003e\n\u003cli\u003eAttacker gains full administrative control of the Taiko AG1000-01A SMS Alert Gateway device.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability grants an attacker full administrative access to the Taiko AG1000-01A SMS Alert Gateway. This could lead to unauthorized modification of device settings, disruption of SMS alert services, or potential use of the device as a pivot point for further attacks within the network. Given the critical nature of alert gateways in many operational environments, the impact could range from missed alerts to significant operational disruptions.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImplement the following rule to detect access to the login page: \u0026ldquo;Detect Access to Taiko AG1000 Login Page\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eDeploy the \u0026ldquo;Detect Taiko AG1000 Login Attempt with Exposed Credentials\u0026rdquo; Sigma rule to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eDisable the web configuration interface on Taiko AG1000-01A SMS Alert Gateway devices if it is not required.\u003c/li\u003e\n\u003cli\u003eApply provided patch or upgrade to a version of Taiko AG1000-01A SMS Alert Gateway that addresses CVE-2026-9139.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-20T20:18:24Z","date_published":"2026-05-20T20:18:24Z","id":"https://feed.craftedsignal.io/briefs/2026-05-taiko-ag1000-creds/","summary":"Taiko AG1000-01A SMS Alert Gateway Rev 7.3 and Rev 8 contains a hard-coded credential vulnerability (CVE-2026-9139) in the embedded web configuration interface, allowing unauthenticated attackers with network access to recover administrative credentials directly from client-side JavaScript and gain full administrative access to the device.","title":"Taiko AG1000-01A SMS Alert Gateway Hardcoded Credentials Vulnerability (CVE-2026-9139)","url":"https://feed.craftedsignal.io/briefs/2026-05-taiko-ag1000-creds/"}],"language":"en","title":"CraftedSignal Threat Feed — Taiko","version":"https://jsonfeed.org/version/1.1"}