CVE-2026-22906Use of Hard-coded Cryptographic Key in 0852-1322

CWE-321Use of Hard-coded Cryptographic Key3 documents3 sources
Severity
9.8CRITICALNVD
EPSS
0.0%
top 84.90%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Wago 0852-1322Wago 0852-1328
Timeline
PublishedFeb 9

Description

User credentials are stored using AES‑ECB encryption with a hardcoded key. An unauthenticated remote attacker obtaining the configuration file can decrypt and recover plaintext usernames and passwords, especially when combined with the authentication bypass.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

CVEListV5wago/0852-13220.0.02.64+1
CVEListV5wago/0852-13280.0.02.64+1

🔴Vulnerability Details

2
GHSA
GHSA-q336-fj7p-g7vx: User credentials are stored using AES‑ECB encryption with a hardcoded key2026-02-09
CVEList
Hardcoded Key Allows Credential Disclosure2026-02-09
CVE-2026-22906 — Use of Hard-coded Cryptographic Key | cvebase