CVE-2026-26340 is a vulnerability classified under CWE-306 (Missing Authentication for Critical Function) affecting Tattile s.r.l.'s Smart+, Vega, and Basic device families with firmware versions 1.181.5 and prior. The root cause is the lack of authentication enforcement on the Real Time Streaming Protocol (RTSP) service embedded in these devices. RTSP is commonly used for streaming live video and audio data from surveillance cameras. Due to this flaw, any remote attacker with network access to the device can connect to the RTSP service and retrieve live surveillance streams without providing any credentials. This bypasses intended access controls and exposes sensitive video and audio feeds. The vulnerability has a CVSS v4.0 base score of 8.7, reflecting its high impact and ease of exploitation. The attack vector is network-based with no required privileges or user interaction, and the scope is unchanged as the vulnerability affects only the confidentiality of the streams. No patches or mitigations have been officially released at the time of publication, and no exploits have been observed in the wild. The vulnerability affects critical surveillance infrastructure, potentially compromising privacy and security in environments relying on these devices for monitoring and control.

The primary impact of CVE-2026-26340 is the unauthorized disclosure of sensitive surveillance video and audio streams, which compromises confidentiality. Organizations relying on Tattile Smart+, Vega, and Basic devices for security monitoring, traffic control, or industrial automation may face significant privacy violations, espionage, or operational security risks. Attackers could leverage the exposed streams to gather intelligence on physical security measures, monitor personnel movements, or conduct reconnaissance for further attacks. The lack of authentication means exploitation is trivial for any attacker with network access, including those on internal networks or connected via exposed services on the internet. This could lead to regulatory compliance issues, reputational damage, and potential legal liabilities for organizations handling sensitive or personal data. The availability and integrity of the devices are not directly affected, but the confidentiality breach alone is severe given the nature of the data involved.

1. Immediately restrict network access to RTSP services on affected devices by implementing firewall rules or network segmentation to limit exposure to trusted management networks only. 2. Monitor network traffic for unauthorized RTSP connections and unusual streaming activity to detect potential exploitation attempts. 3. Disable RTSP streaming if not required or replace it with more secure streaming protocols that enforce authentication. 4. Engage with Tattile s.r.l. for firmware updates or patches addressing this vulnerability and apply them promptly once available. 5. Implement strong physical and network security controls around surveillance infrastructure to prevent unauthorized network access. 6. Consider deploying network intrusion detection/prevention systems (IDS/IPS) tuned to detect anomalous RTSP traffic patterns. 7. Conduct regular security audits of surveillance device configurations and access controls to ensure compliance with security policies. 8. Educate security teams about this vulnerability to ensure rapid response and mitigation in case of exploitation attempts.