Label Leak: Hardcoded Credentials in Snap One WattBox Devices Open Door to Root Access
Do Son 
A critical vulnerability has been identified in the Snap One WattBox 800 and 820 series power controllers. The flaw, tracked as CVE-2026-41446 with a CVSS score of 9.2, reveals that diagnostic endpoints in the device’s firmware can be hijacked using information printed in plain sight on the hardware itself.
For organizations relying on these devices for managed power distribution, the “plaintext” nature of this flaw turns a simple equipment label into a master key for attackers.
The vulnerability stems from the existence of undisclosed diagnostic HTTP endpoints within the WattBox firmware. Unlike standard administrative interfaces that require robust passwords, these specific service ports authenticate users based solely on two values:
- The device’s MAC address.
- The device’s Service Tag.
The critical failure here is that both of these values are printed in plaintext on the physical device label. An attacker who has physical access to the device—or even just a photograph of its documentation—can use these identifiers to bypass standard security and authenticate to several sensitive endpoints.
Once authenticated through these hidden diagnostic ports, the stakes are remarkably high. Attackers gain the ability to execute arbitrary commands as root on the device.
In the context of power management, root access allows an adversary to:
- Manipulate power states for connected hardware.
- Intercept data or pivot to other systems on the network.
- Potentially brick the device or install persistent backdoors.
Snap One has released firmware version 2.10.0.0 to address this and other security concerns. While the release notes highlight several functional improvements, the “additional cybersecurity updates and patches” are the primary defense against this root-access exploit.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
