CVE-2026-22906

Summary

User credentials are stored using AES‑ECB encryption with a hardcoded key. An unauthenticated remote attacker obtaining the configuration file can decrypt and recover plaintext usernames and passwords, especially when combined with the authentication bypass.

Affected Software

VendorProductVersion RangeStatus
WAGO0852-13220.0.0 <= 2.64affected
WAGO0852-13280.0.0 <= 2.64affected
WAGO0852-13222.64affected
WAGO0852-13282.64affected

Weaknesses

  • CWE-321: CWE-321 Use of Hard-coded Cryptographic Key

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: total

References