CVE 9.8 CRITICAL

Hardcoded Key Allows Credential Disclosure_CVE-2026-22906

February 9, 2026 invoker category_cve

9.8 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Description

User credentials are stored using AES‑ECB encryption with a hardcoded key. An unauthenticated remote attacker obtaining the configuration file can decrypt and recover plaintext usernames and passwords, especially when combined with the authentication bypass.

AI Analysis

Hardcoded key vulnerability allowing credential disclosure in WAGO 0852-1322 and 0852-1328 products

Basic Information

ID CVE-2026-22906

Source CERTVDE

Published Feb 9, 2026 at 07:40

Affected Product

Vendor WAGO

Product 0852-1322

Version 0.0.0, 2.64

Affected Versions WAGO 0852-1322 0.0.0
WAGO 0852-1328 0.0.0
WAGO 0852-1322 2.64
WAGO 0852-1328 2.64

CWE Classification

CWE-321

AI Assessment

AI Score 9.8 / 10

AI Severity Critical

Vendor WAGO

Product WAGO 0852-1322 and 0852-1328

Version 0.0.0, 2.64

References

certvde.com /de/advisories/VDE-2026-004

{
    "lastseen": "",
    "description": "User credentials are stored using AES\u2011ECB encryption with a hardcoded key. An unauthenticated remote attacker obtaining the configuration file can decrypt and recover plaintext usernames and passwords, especially when combined with the authentication bypass.",
    "published": "2026-02-09T07:40:33.546Z",
    "modified": "2026-02-09T07:40:33.546Z",
    "type": "cve",
    "title": "Hardcoded Key Allows Credential Disclosure",
    "source": "CERTVDE",
    "references": "https://certvde.com/de/advisories/VDE-2026-004",
    "id": "CVE-2026-22906",
    "bulletinFamily": "",
    "cwe": [
        "CWE-321"
    ],
    "cvelist": null,
    "sourceData": "WAGO 0852-1322 0.0.0\nWAGO 0852-1328 0.0.0\nWAGO 0852-1322 2.64\nWAGO 0852-1328 2.64",
    "sourceHref": "",
    "cvss": {
        "score": 9.8,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "0852-1322",
    "version": "0.0.0, 2.64",
    "vendor": "WAGO",
    "ai_description": "Hardcoded key vulnerability allowing credential disclosure in WAGO 0852-1322 and 0852-1328 products",
    "ai_severity": "Critical",
    "ai_vendor": "WAGO",
    "ai_product": "WAGO 0852-1322 and 0852-1328",
    "ai_version": "0.0.0, 2.64",
    "ai_score": 9.8
}

💭 Join the Security Discussion ❌ Cancel Reply