A critical (CVSS 9.8) hard-coded credential flaw in the Taiko AG1000-01A SMS Alert Gateway exposes administrative credentials in client-side JavaScript, allowing unauthenticated attackers on the network to fully take over the device.
What Is It
CVE-2026-9139 is a hard-coded credential vulnerability (CWE-798) in the embedded web configuration interface of the Taiko AG1000-01A SMS Alert Gateway. Authentication on the device is implemented entirely in client-side JavaScript within login.zhtml, with static plaintext credentials baked into the page source. The credentials live inside the client-side validate() function, meaning any user who can load the login page can read them directly from the served HTML/JS.
The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H confirms the flaw is network-reachable, requires no privileges, no user interaction, and yields high impact across confidentiality, integrity, and availability. The CVSS 4.0 base score is 9.3.
Why It Matters
An unauthenticated attacker with network access to the device's web interface can recover administrative credentials by simply viewing the page source. From there, full administrative access to the gateway is trivial. Because SMS alert gateways are often used to relay operational alerts and notifications, an attacker with admin control could suppress alerts, alter delivery, or pivot into adjacent infrastructure.
No KEV entry is currently associated with this CVE, so CISA has not confirmed active exploitation in the wild at the time of publication. However, the exploitation path is essentially "view source," which lowers the bar to near zero.
What's Vulnerable
- Vendor/Product: Taiko AG1000-01A SMS Alert Gateway
- Affected revisions: Rev 7.3 and Rev 8
- Component: Embedded web configuration interface (
login.zhtml, client-sidevalidate()function) - Weakness: CWE-798; Use of Hard-coded Credentials
No affected CPE list was published in the NVD record at the time of writing.
Patch Status
The supplied NVD record does not list a vendor patch, fixed version, or required mitigation action. Operators should consult the VulnCheck advisory and the original disclosure (linked below) for the latest remediation guidance, and in the interim restrict network access to the device's management interface to trusted hosts only.