{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22906", "assignerOrgId": "270ccfa6-a436-4e77-922e-914ec3a9685c", "state": "PUBLISHED", "assignerShortName": "CERTVDE", "dateReserved": "2026-01-13T08:33:25.684Z", "datePublished": "2026-02-09T07:40:33.546Z", "dateUpdated": "2026-02-09T15:31:17.549Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "0852-1322", "vendor": "WAGO", "versions": [{"lessThanOrEqual": "2.64", "status": "affected", "version": "0.0.0", "versionType": "semver"}]}, {"defaultStatus": "unaffected", "product": "0852-1328", "vendor": "WAGO", "versions": [{"lessThanOrEqual": "2.64", "status": "affected", "version": "0.0.0", "versionType": "semver"}]}, {"defaultStatus": "unaffected", "product": "0852-1322", "vendor": "WAGO", "versions": [{"status": "affected", "version": "2.64"}]}, {"defaultStatus": "unaffected", "product": "0852-1328", "vendor": "WAGO", "versions": [{"status": "affected", "version": "2.64"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Diconium"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "User credentials are stored using AES\u2011ECB encryption with a hardcoded key. An unauthenticated remote attacker obtaining the configuration file can decrypt and recover plaintext usernames and passwords, especially when combined with the authentication bypass.<br>"}], "value": "User credentials are stored using AES\u2011ECB encryption with a hardcoded key. An unauthenticated remote attacker obtaining the configuration file can decrypt and recover plaintext usernames and passwords, especially when combined with the authentication bypass."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-321", "description": "CWE-321 Use of Hard-coded Cryptographic Key", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "270ccfa6-a436-4e77-922e-914ec3a9685c", "shortName": "CERTVDE", "dateUpdated": "2026-02-09T07:40:33.546Z"}, "references": [{"url": "https://certvde.com/de/advisories/VDE-2026-004"}], "source": {"advisory": "VDE-2026-004", "defect": ["CERT@VDE#641934"], "discovery": "UNKNOWN"}, "title": "Hardcoded Key Allows Credential Disclosure", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-09T15:29:06.439394Z", "id": "CVE-2026-22906", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-09T15:31:17.549Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-22906", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-09T15:29:06.439394Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-09T15:30:59.187Z"}}], "cna": {"title": "Hardcoded Key Allows Credential Disclosure", "source": {"defect": ["CERT@VDE#641934"], "advisory": "VDE-2026-004", "discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Diconium"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "WAGO", "product": "0852-1322", "versions": [{"status": "affected", "version": "0.0.0", "versionType": "semver", "lessThanOrEqual": "2.64"}], "defaultStatus": "unaffected"}, {"vendor": "WAGO", "product": "0852-1328", "versions": [{"status": "affected", "version": "0.0.0", "versionType": "semver", "lessThanOrEqual": "2.64"}], "defaultStatus": "unaffected"}, {"vendor": "WAGO", "product": "0852-1322", "versions": [{"status": "affected", "version": "2.64"}], "defaultStatus": "unaffected"}, {"vendor": "WAGO", "product": "0852-1328", "versions": [{"status": "affected", "version": "2.64"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://certvde.com/de/advisories/VDE-2026-004"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "User credentials are stored using AES\u2011ECB encryption with a hardcoded key. An unauthenticated remote attacker obtaining the configuration file can decrypt and recover plaintext usernames and passwords, especially when combined with the authentication bypass.", "supportingMedia": [{"type": "text/html", "value": "User credentials are stored using AES\u2011ECB encryption with a hardcoded key. An unauthenticated remote attacker obtaining the configuration file can decrypt and recover plaintext usernames and passwords, especially when combined with the authentication bypass.<br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-321", "description": "CWE-321 Use of Hard-coded Cryptographic Key"}]}], "providerMetadata": {"orgId": "270ccfa6-a436-4e77-922e-914ec3a9685c", "shortName": "CERTVDE", "dateUpdated": "2026-02-09T07:40:33.546Z"}}}, "cveMetadata": {"cveId": "CVE-2026-22906", "state": "PUBLISHED", "dateUpdated": "2026-02-09T15:31:17.549Z", "dateReserved": "2026-01-13T08:33:25.684Z", "assignerOrgId": "270ccfa6-a436-4e77-922e-914ec3a9685c", "datePublished": "2026-02-09T07:40:33.546Z", "assignerShortName": "CERTVDE"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "User credentials are stored using AES\u2011ECB encryption with a hardcoded key. An unauthenticated remote attacker obtaining the configuration file can decrypt and recover plaintext usernames and passwords, especially when combined with the authentication bypass."}, {"lang": "es", "value": "Las credenciales de usuario se almacenan utilizando cifrado AES?ECB con una clave codificada de forma r\u00edgida. Un atacante remoto no autenticado que obtenga el archivo de configuraci\u00f3n puede descifrar y recuperar nombres de usuario y contrase\u00f1as en texto plano, especialmente cuando se combina con la omisi\u00f3n de autenticaci\u00f3n."}], "id": "CVE-2026-22906", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "info@cert.vde.com", "type": "Primary"}]}, "published": "2026-02-09T08:16:11.723", "references": [{"source": "info@cert.vde.com", "url": "https://certvde.com/de/advisories/VDE-2026-004"}], "sourceIdentifier": "info@cert.vde.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-321"}], "source": "info@cert.vde.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0.0.0,2.64]"}}], "product": "0852-1322", "vendor": "wago"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "2.64"}}], "product": "0852-1322", "vendor": "wago"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0.0.0,2.64]"}}], "product": "0852-1328", "vendor": "wago"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "2.64"}}], "product": "0852-1328", "vendor": "wago"}], "analysis": {"en": {"generated_at": "2026-04-17T21:31:38.889801+00:00", "value": {"mitigation_remediation": ["Upgrade the device to the latest firmware that eliminates the hardcoded AES\u2011ECB key and implements secure key generation or key derivation mechanisms.", "If a firmware update is not yet available, immediately disable remote access to the configuration file and restrict any network access to the device to trusted, isolated segments only.", "Change all default or existing usernames and passwords on the affected devices and enable any available multifactor authentication or stricter access controls."], "summary": {"action": "Immediate Patch", "impact": "Remote Credential Disclosure"}, "threat_synthesis": {"affected_systems": "The affected devices are WAGO industrial automation controllers with product identifiers 0852\u20111322 and 0852\u20111328. These models ship with the described configuration storage mechanism and are susceptible to the credential disclosure flaw.", "description_and_impact": "The vulnerability arises from the use of AES\u2011ECB mode with a hardcoded key to encrypt user credentials stored in the configuration file. Because the key is fixed and publicly known, an attacker who obtains the file can decrypt it and recover plaintext usernames and passwords. When the same device also has an authentication bypass that permits unauthenticated access, the attacker can combine these weaknesses to compromise the device's identity layer.", "risk_and_exploitability": "The CVSS score of 9.8 indicates a critical impact, while the EPSS score of less than 1% suggests a low probability of exploitation today, though the vulnerability remains present. The flaw is not listed in KEV, but attackers can target the devices by remotely downloading the configuration file\u2014an operation that is possible when the device's network interface allows unauthenticated access\u2014then applying the known hardcoded key to decrypt credentials. If the device also suffers from the authentication bypass, the attacker can gain full control without first authenticating."}}}}, "created": "2026-02-10T12:23:49.201286+00:00", "updated": "2026-04-17T21:45:28.601759+00:00", "vendors": ["wago", "wago$PRODUCT$0852-1322", "wago$PRODUCT$0852-1328"]}