Tattile Surveillance Devices Allow Unauthenticated Access to Live Video Streams

Summary

Tattile Smart+, Vega, and Basic surveillance devices with outdated firmware can be accessed remotely without a password, allowing unauthorized viewing of live video feeds. This means that anyone can potentially see what your security cameras are seeing. Update your firmware to the latest version to fix this issue.

What to do

No fix is available yet. Check with your software vendor for updates.

Affected software

Vendor	Product	Affected versions	Fix available
tattile	smart\+_firmware	<= 1.181.5	–
tattile	tolling\+_firmware	<= 1.181.5	–
tattile	smart\+_speed_firmware	<= 1.181.5	–
tattile	smart\+_traffic_light_firmware	<= 1.181.5	–
tattile	axle_counter_firmware	<= 1.181.5	–
tattile	vega53_firmware	<= 1.181.5	–
tattile	vega33_firmware	<= 1.181.5	–
tattile	vega11_firmware	<= 1.181.5	–
tattile	basic_mk2_firmware	<= 1.181.5	–
tattile	anpr_mobile_firmware	<= 1.181.5	–

Original title

Tattile Smart+, Vega, and Basic device families firmware versions 1.181.5 and prior expose RTSP streams without requiring authentication. A remote attacker can connect to the RTSP service and acces...

Original description

Tattile Smart+, Vega, and Basic device families firmware versions 1.181.5 and prior expose RTSP streams without requiring authentication. A remote attacker can connect to the RTSP service and access live video/audio streams without valid credentials, resulting in unauthorized disclosure of surveillance data.

nvd CVSS3.1 7.5

nvd CVSS4.0 8.7

Vulnerability type

CWE-306 Missing Authentication for Critical Function

https://www.tattile.com/ Product
https://www.vulncheck.com/advisories/tattile-smart-vega-basic-unauthenticated-rt... Third Party Advisory VDB Entry
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2026-5978.php Third Party Advisory Exploit