Hard-coded credentials in the Taiko SMS Alert Gateway web interface allow unauthenticated attackers to gain full administrative access to the device.

This is a hard-coded credential vulnerability. Authentication logic is handled entirely in client-side JavaScript, which exposes plaintext credentials in the source code of the login page.

An attacker can easily extract administrative credentials to gain full control over the SMS Alert Gateway. This could allow for interception of SMS traffic, disruption of alert notifications, or use of the device as a foothold in the internal network. The 9.8 CVSS score emphasizes the severity of this access control failure.

Immediate Action: Update the device firmware to the latest manufacturer-provided version.

Proactive Monitoring: Monitor network traffic for unauthorized access to the web management interface and look for unusual administrative logins.

Compensating Controls: Isolate the SMS Alert Gateway on a dedicated, non-routable management VLAN to restrict access to only authorized users.

Public Exploit Available: false

Administrative access to security-critical hardware must be protected by robust, server-side authentication. Organizations must apply firmware updates immediately and restrict network access to the gateway interface.