The eNet SMART HOME server is vulnerable to complete administrative takeover due to the presence of active default credentials that are not forcibly changed during the commissioning process.

The system ships with static default credentials (user:user, admin:admin) that are not subject to a mandatory change policy upon installation. This allows unauthenticated attackers with network access to log in with administrative privileges.

The use of default credentials results in a CVSS score of 9.8, reflecting a critical risk to system confidentiality and integrity. An attacker can gain full control over smart home functions, modify sensitive configurations, and potentially use the server as a pivot point for further network attacks, leading to significant reputational and privacy risks.

Immediate Action: Immediately change all default passwords for the 'user' and 'admin' accounts to unique, complex passwords and ensure the latest firmware is applied.

Proactive Monitoring: Audit access logs for successful logins using default account names and monitor for unauthorized configuration changes within the smart home server interface.

Compensating Controls: Enforce strong password policies and implement multi-factor authentication (MFA) if supported by the platform to prevent unauthorized access via credential-based attacks.

Public Exploit Available: false

The failure to enforce password changes upon initial setup is a critical security oversight. Organizations and homeowners must treat this as an urgent priority. Immediately update all account credentials and apply the latest security patches to ensure that default access vectors are permanently closed.