Status: Vendor Acknowledged Disclosure Date: 2026-02-01 Public Disclosure: 2026-05-02 (90 days)
I decided that 2026 was going to be the year I started looking at IoT devices. It took me a matter of minutes to get to this.
I've discovered critical security vulnerabilities in a popular projector product line. I'm withholding the vendor and model details until the public disclosure date to give them time to patch.
What I Found
2 confirmed vulnerabilities submitted to vendor:
- 1 Critical (CVSS 9.6) - Unauthenticated remote root access
- 1 High (CVSS 8.8) - Unauthenticated remote device control
6 additional vulnerabilities are still under investigation and will be submitted separately as soon as I've fully confirmed them.
Why This Matters
If you own one of the affected devices and use it on a shared network (hotel WiFi, office, anywhere others have network access), an attacker could:
- Gain complete root control of your projector without authentication, in 3 easy steps
- Extract your WiFi password (compromising your entire network)
- Control your device remotely (volume, display settings, etc.)
- Install persistent malware
I'll publish the full details - including which products are affected and how to check if you're vulnerable - on 2026-05-02, or sooner if the vendor releases patches.
Timeline
| Date | Event |
|---|---|
| January 2026 | Vulnerabilities discovered |
| 2026-02-01 | Vendor notified (2 CVEs) |
| 2026-02-02 | Vendor acknowledged, escalated for review |
| Ongoing | Investigation of 6 additional vulnerabilities |
| 2026-05-02 | Planned public disclosure |
Contact
If you have questions about this advisory, you can reach me at stefan@whitelabel.org.
I'll update this page with affected products and full technical details after the disclosure deadline.