CVE-2026-26235 identifies a critical security vulnerability in the JUNG Smart Visu Server version 1.1.1050, developed by ALBRECHT JUNG GMBH & CO. KG. The vulnerability arises from a missing authentication mechanism protecting a critical server function that handles shutdown and reboot commands. An unauthenticated attacker can send a specially crafted POST request to the server, triggering an immediate reboot or shutdown without any credentials or user interaction. This results in a denial of service (DoS) condition, disrupting the availability of the server and any dependent building automation or smart home systems. The vulnerability is remotely exploitable over the network (AV:N), requires no privileges (PR:N), no user interaction (UI:N), and affects confidentiality, integrity, and availability primarily through availability impact (VA:H). The CVSS 4.0 base score of 8.7 reflects the high severity due to ease of exploitation and critical impact on system availability. No patches or official remediation links are currently published, and no exploits are known to be active in the wild. The affected product is used in smart building environments to manage and visualize automation controls, making this vulnerability particularly impactful in operational technology contexts where uptime is critical.

For European organizations, this vulnerability poses a significant risk to the operational continuity of smart building and industrial automation systems that rely on the JUNG Smart Visu Server. A successful attack could cause unexpected server reboots or shutdowns, leading to loss of control over building automation functions such as HVAC, lighting, security systems, and energy management. This disruption can affect employee safety, comfort, and productivity, and potentially cause financial losses due to downtime. Critical infrastructure facilities using this product may face increased risk of operational disruption. The lack of authentication means attackers can exploit this vulnerability remotely without prior access, increasing the attack surface. Given the increasing reliance on smart building technologies in Europe, the impact extends to commercial buildings, data centers, hospitals, and government facilities. The absence of known exploits currently reduces immediate risk, but the vulnerability’s simplicity and severity make it a likely target for future exploitation.

1. Immediately restrict network access to the JUNG Smart Visu Server, allowing only trusted management networks or VPN connections to communicate with the server, effectively blocking unauthorized external POST requests. 2. Implement network-level firewall rules or intrusion prevention systems (IPS) to detect and block suspicious POST requests targeting the server’s reboot/shutdown endpoint. 3. Monitor server logs and network traffic for unusual POST requests or unexpected reboots to detect potential exploitation attempts early. 4. Engage with ALBRECHT JUNG GMBH & CO. KG for official patches or firmware updates addressing this vulnerability and apply them promptly once available. 5. Consider deploying application-layer gateways or reverse proxies that enforce authentication before forwarding requests to the Smart Visu Server. 6. Conduct a thorough inventory of all JUNG Smart Visu Server deployments within the organization to assess exposure and prioritize mitigation efforts. 7. Educate operational technology and IT teams about this vulnerability to ensure rapid response and incident handling if exploitation is suspected.