Description
The lack of hardening of the system allows the user used to manage and maintain the charger to consult different files containing clear-text credentials or valuable information for an attacker.
Published: 2026-01-07
Score: 6.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Patch
AI Analysis

Impact

The vulnerability arises from a lack of hardening in the operating system, enabling the user assigned to manage and maintain the charger to access a variety of files that contain clear‑text credentials and other sensitive information. This can lead to unauthorized disclosure of authentication details and asset data, potentially compromising the integrity and confidentiality of the surrounding environment. The weakness is cataloged as CWE‑497, indicating improper handling of data that may be exposed to privileged users.

Affected Systems

The flaw affects systems running EFACEC QC 60, QC 90, and QC 120 firmware. No specific version numbers are disclosed, so the entire product line may be vulnerable until hardening measures are applied.

Risk and Exploitability

With a CVSS v3 score of 6.8, the severity is moderate, reflecting the potential impact if an attacker gains sufficient access. The EPSS score is less than 1%, suggesting a low probability of exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is local or privileged, requiring an operator or maintenance user to read the exposed files. Despite the low exploitation probability, the nature of the disclosed information warrants urgent remediation.

Generated by OpenCVE AI on April 18, 2026 at 08:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Restrict file system permissions so that only authorized users can read credential files
  • Remove or encrypt clear‑text credential files from the system
  • Apply operating system hardening best practices to close exposed file locations
  • Monitor system logs for unauthorized file access attempts

Generated by OpenCVE AI on April 18, 2026 at 08:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://cds.thalesgroup.com/en cve-icon cve-icon
History

Thu, 08 Jan 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Efacec
Efacec qc 120
Efacec qc 60
Efacec qc 90
Vendors & Products Efacec
Efacec qc 120
Efacec qc 60
Efacec qc 90

Wed, 07 Jan 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 07 Jan 2026 17:15:00 +0000

Type Values Removed Values Added
Description The lack of hardening of the system allows the user used to manage and maintain the charger to consult different files containing clear-text credentials or valuable information for an attacker.
Title INFORMATION DISCLOSURE WITHIN THE OPERATING SYSTEM
Weaknesses CWE-497
References
Metrics cvssV4_0

{'score': 6.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Efacec Qc 120 Qc 60 Qc 90
cve-icon MITRE

Status: PUBLISHED

Assigner: S21sec

Published:

Updated: 2026-01-07T17:23:18.255Z

Reserved: 2026-01-07T14:01:04.828Z

Link: CVE-2026-22537

cve-icon Vulnrichment

Updated: 2026-01-07T17:23:13.854Z

cve-icon NVD

Status : Deferred

Published: 2026-01-07T17:16:03.917

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-22537

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T08:15:15Z

Weaknesses