CVE-2026-22906
published 2026-02-09CVE-2026-22906: User credentials are stored using AES‑ECB encryption with a hardcoded key. An unauthenticated remote attacker obtaining the configuration file can decrypt and…
critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
User credentials are stored using AES‑ECB encryption with a hardcoded key. An unauthenticated remote attacker obtaining the configuration file can decrypt and recover plaintext usernames and passwords, especially when combined with the authentication bypass.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| wago | 0852-1322 | — | — |
| wago | 0852-1322 | 0.0.0 – 2.64 | — |
| wago | 0852-1328 | — | — |
| wago | 0852-1328 | 0.0.0 – 2.64 | — |