CVE-2026-9770

Severity CVSS v4.0:
HIGH
Type:
CWE-321 Use of Hard-coded Cryptographic Key
Publication date:
15/07/2026
Last modified:
15/07/2026

Description

Kasa EC71 v4 and EC70 v4 firmware contains a static cryptographic private key stored in a read-only filesystem<br /> that is shared across devices.  An<br /> attacker with access to the firmware image can extract the embedded key.  <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> Successful<br /> exploitation may allow an unauthenticated attacker on the same network to use<br /> this key in the web management service, compromising the confidentiality of<br /> encrypted communications. This may enable passive decryption of traffic or<br /> active man-in-the-middle (MITM) attacks