External risk intelligence

Snap One WattBox devices allow attackers full control with device serial number.

CVE advisorySeverity: CRITICAL (CVSS 9.2)

CVE-2026-41446

Snap One WattBox 800 and 820 series devices have a flaw that allows an internal attacker with physical label access to gain full administrative control. They could use this access to manipulate power distribution or disable connected equipment, leading to a loss of control over critical infrastructure.

2Halo Surface Signal

External exposure likelihood

Halo Surface Signal score for CVE-2026-41446

The vulnerable device is a power management unit typically deployed within secure IT racks or internal management segments. While the management interface is network-accessible, exposing this type of infrastructure component directly to the public internet is not a standard or intended deployment practice, and is usually restricted behind internal network controls.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Horizon Alert

Summary of the vulnerability and why it matters

Certain Snap One WattBox devices have a security flaw that could let someone gain root access. This issue involves diagnostic interfaces that are protected by easily obtainable information, such as the device's MAC address and service tag, which are printed on the physical device. If this information is compromised, an attacker could run arbitrary commands on the device.

  • Sensitive device information is publicly visible.
  • Allows unauthorized command execution.

Attack Path

How an attacker could exploit the issue

An attacker can exploit this by physically accessing the Snap One WattBox device or obtaining its label. They can then use the visible MAC address and service tag to authenticate to undisclosed diagnostic HTTP endpoints. This allows for arbitrary command execution with root privileges on the device.

  • Physical device access needed.
  • HTTP endpoints are vulnerable.
  • Uses plaintext credentials.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability is unlikely to be weaponized by attackers. The Snap One WattBox devices are typically deployed in secure, internal network environments, making direct internet-facing exploitation improbable. Additionally, the need for physical access to the device label for authentication further limits its appeal to widespread, automated attacks.

  • Requires physical access for details.
  • Not internet-facing by design.
  • Limited appeal for mass exploitation.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize isolating affected Snap One WattBox 800 and 820 series devices, as unpatched firmware allows unauthenticated command execution using easily obtainable physical device information. Act quickly to prevent further compromise, especially if these devices are accessible from less trusted network segments.

  • Isolate or power down affected devices.
  • Monitor network traffic for suspicious commands.
  • Update firmware to version 2.10.0.0 or later.

Frequently asked questions

What are Snap One WattBox 800 and 820 series devices?

Snap One WattBox 800 and 820 series devices are power management units designed for controlling and monitoring electrical power, commonly found in IT infrastructure. They facilitate power distribution management and offer diagnostic capabilities.

What type of vulnerability is CVE-2026-41446 and its weaknesses?

CVE-2026-41446 is a vulnerability classified under CWE-798 and CWE-912. It involves undisclosed diagnostic HTTP endpoints that are protected by authentication credentials (MAC address and service tag) printed on the physical device label, potentially allowing for command execution.

How can an attacker exploit CVE-2026-41446?

An attacker can exploit this vulnerability by gaining physical access to the Snap One WattBox device or its label. The MAC address and service tag, visible on the label, can be used to authenticate to specific diagnostic HTTP endpoints, enabling arbitrary command execution with root privileges on the device.

What is the relevance of CVE-2026-41446 based on threat intelligence?

The Halo Surface Signal indicates that this vulnerability is unlikely to be exploited by attackers. WattBox devices are typically deployed in secure, internal network environments, and direct internet-facing exploitation is improbable. The requirement for physical access to the device label further limits its appeal for widespread, automated attacks.

What practical steps should be taken to address this vulnerability?

It is crucial to isolate affected Snap One WattBox 800 and 820 series devices, as unpatched firmware allows unauthorized command execution using easily obtained physical device information. Prompt action is necessary to prevent further compromise, particularly if these devices are accessible from less trusted network segments. Updating firmware to version 2.10.0.0 or later is recommended.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified