← Advisories

Tattile Cameras 1.181.5 Unauthenticated RTSP Stream Disclosure

Medium

Advisory ID

ZSL-2026-5978

Release Date

24 February 2026

Vendor

Tattile s.r.l. - https://www.tattile.com

Affected Version

Smart+ family: Smart+, Tolling+, Smart+ Speed, Smart+ Traffic Light, Vega family: Axle Counter, Vega 53, Vega33 & Vega 11, Basic family: Basic MK2, ANPR Mobile, Firmware: 1.181.5

CVE

CVE-2026-26340

Tested On

lighttpd/1.4.64

Summary

Tattile is an Italian manufacturer specializing in advanced ANPR/ALPR, traffic‑enforcement, and machine‑vision camera systems used across intelligent transportation networks, tolling infrastructures, access‑control environments, and industrial automation. Their portfolio includes high‑performance ITS cameras capable of vehicle identification, speed and red‑light enforcement, free‑flow tolling, and multi‑lane traffic monitoring, as well as compact ANPR units for parking and perimeter control, and industrial smart cameras for inspection and quality assurance. Across all model families, Tattile devices combine ruggedized hardware with onboard image processing, AI‑based vehicle analytics, and high‑sensitivity sensors designed for continuous operation in demanding outdoor conditions, making them critical components in modern traffic management and enforcement architectures.

Description

The Tattile cameras suffer from an unauthenticated and unauthorized live RTSP video stream access.

Proof of Concept

tattile_rtsp.txtTXT

Disclosure Timeline

22.01.2026Vulnerability discovered.

22.01.2026Vendor contacted.

23.01.2026Vendor responds asking for account registration on their Academy portal and submitting a ticket.

23.01.2026Responded to the vendor, sent details and asked for further planning.

26.01.2026Working with the vendor.

06.02.2026Asked vendor for status update.

10.02.2026Vendor is assessing the problem.

11.02.2026Vendor confirms the vulnerability, shares patch planning in May, 2026.

18.02.2026Vendor confirms other vulnerabilities, all scheduled to be patched in week 19.

18.02.2026Provided 3 CVEs to the vendor and asked for latest firmware version and affected models for confirmation.

20.02.2026Vendor confirms all models affected by the 3 CVEs, provides current vulnerable firmware version information 1.181.5.

20.02.2026Responded to the vendor.

23.02.2026Sent draft advisories to the vendor for review/comments.

24.02.2026Public security advisory released.

Credits

Vulnerability discovered by Gjoko Krstic

References

[1]https://www.cve.org/CVERecord?id=CVE-2026-26340

[2]https://www.vulncheck.com/advisories/tattile-smart-vega-basic-unauthenticated-rtsp-stream-disclosure

[3]https://packetstorm.news/files/id/216127/

Changelog

24.02.2026Initial release

27.02.2026Added reference [2] and [3]