Hard-coded Credential Flaw in Taiko AG1000-01A SMS Alert Gateway
CVE-2026-9139

9.3CRITICAL

Key Information:

Vendor: Taiko Network Communications Pte Ltd.
Status: Ag1000-01a Sms Alert Gateway
Vendor: CVE Published:; 20 May 2026

🔔 Create Taiko Network Communications Pte Ltd. Vulnerability Alert

What is CVE-2026-9139?

The Taiko AG1000-01A SMS Alert Gateway versions 7.3 and 8 are susceptible to a significant hard-coded credential vulnerability. The issue lies within the embedded web configuration interface, specifically in the 'login.zhtml' file, where authentication relies solely on client-side JavaScript. This design flaw exposes sensitive static plaintext credentials directly within the page source, making it possible for unauthorized attackers with network access to extract administrative credentials. By accessing the client-side validate() function, attackers can easily gain full administrative access to the device, posing a considerable security risk.

Affected Version(s)

AG1000-01A SMS Alert Gateway Rev 7.3

AG1000-01A SMS Alert Gateway Rev 8

AG1000-01A SMS Alert Gateway UM-AG1000_R7.2

References

https://medium.com/@forgetmen0t/multiple-vulnerabilities-...

technical-description

https://www.vulncheck.com/advisories/taiko-ag1000-01a-rev...

third-party-advisory

CVSS V4

Score:

9.3

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 20, 2026
Vulnerability Reserved
May 20, 2026

Credit

Muhammad Imam Baguna

VulnCheck

CVE-2026-9139 Data

JSON