CVE-2026-44159

Tyler Technologies · Tyler Identity Local (TID-L)

Tyler Identity Local (TID-L) utilizes default administrative credentials that are not required to be changed upon deployment, posing a significant risk of unauthorized administrative access.

Executive summary

The Tyler Identity Local (TID-L) platform is vulnerable to unauthorized administrative access due to the use of hardcoded, default credentials, posing a critical risk of total system compromise.

Vulnerability

This vulnerability involves the use of default administrative credentials (CWE-1392) that remain active because the system does not enforce credential changes during initialization. An unauthenticated attacker with network access to the management interface can leverage these known credentials to gain full administrative control over the application.

Business impact

Successful exploitation allows an attacker to gain full administrative access to the Tyler Identity Local system. Given the CVSS score of 9.8, this represents a critical risk, potentially leading to unauthorized data exfiltration, system reconfiguration, or lateral movement within the enterprise network. Organizations are advised that because the product is end-of-life and unsupported, the risk profile is significantly elevated.

Remediation

Immediate Action: Since Tyler Identity Local is end-of-life and unsupported, the only effective remediation is the immediate decommissioning and removal of the software from the environment.

Proactive Monitoring: Review all access logs for the TID-L interface to identify any unauthorized logins or suspicious administrative activity performed using default accounts.

Compensating Controls: If immediate decommissioning is not possible, place the affected system behind a strict network-level firewall that limits access to the management interface to authorized IP addresses only.

Exploitation status

Public Exploit Available: No

Analyst recommendation

The reliance on default credentials in an unsupported product creates an unacceptable security posture. Organizations must prioritize the migration away from Tyler Identity Local immediately, as no security patches will be provided by the vendor.