Description
The credentials required to access the device's web server are sent in base64 within the HTTP headers. Since base64 is not considered a strong cipher, an attacker could intercept the web request handling the login and obtain the credentials
Published: 2026-01-07
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Credential Disclosure
Action: Secure Auth
AI Analysis

Impact

Credentials used to log in to the device's web server are transmitted in base64 encoded form within HTTP headers. Because base64 is merely an encoding mechanism and not a form of encryption, an adversary can capture these headers and decode them, thereby learning valid usernames and passwords. The disclosed credentials allow the attacker to authenticate to the device, potentially gaining full administrative control. This flaw is a classic example of credential storage or transmission weaknesses, as identified by CWE‑261.

Affected Systems

The vulnerability applies to the EFACEC QC 60, QC 90, and QC 120 series of network security devices. No specific firmware versions are recorded in the CNA data, so all firmware builds running these hardware models could be susceptible until a vendor patch or other mitigation is applied.

Risk and Exploitability

The CVSS score of 6.9 marks the flaw as a medium severity issue, while the EPSS value of less than 1% indicates that exploitation is considered unlikely at this time. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is passive eavesdropping on unencrypted HTTP traffic to the device's web interface or active interception if the device is exposed on a network that can be accessed by an attacker. Because the credentials are sent in plain headers, the attack does not require privileged access to the device; capturing the traffic on the same LAN or through a man‑in‑the‑middle position suffices to compromise authentication.

Generated by OpenCVE AI on April 18, 2026 at 08:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Configure the device to use HTTPS or other secure transport mechanisms for the web interface, ensuring that credential headers are encrypted in transit.
  • If HTTPS cannot be enabled, isolate the device on a separate VLAN and restrict physical and network access to its management interfaces.
  • Change default or documented passwords immediately and enforce a strong password policy to reduce the impact of any captured credentials.

Generated by OpenCVE AI on April 18, 2026 at 08:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://cds.thalesgroup.com/en cve-icon cve-icon
History

Thu, 08 Jan 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Efacec
Efacec qc 120
Efacec qc 60
Efacec qc 90
Vendors & Products Efacec
Efacec qc 120
Efacec qc 60
Efacec qc 90

Wed, 07 Jan 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 07 Jan 2026 16:30:00 +0000

Type Values Removed Values Added
Description The credentials required to access the device's web server are sent in base64 within the HTTP headers. Since base64 is not considered a strong cipher, an attacker could intercept the web request handling the login and obtain the credentials
Title WEEK ENCODING FOR PASSWORDS
Weaknesses CWE-261
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Efacec Qc 120 Qc 60 Qc 90
cve-icon MITRE

Status: PUBLISHED

Assigner: S21sec

Published:

Updated: 2026-01-07T16:57:16.512Z

Reserved: 2026-01-07T14:01:04.829Z

Link: CVE-2026-22543

cve-icon Vulnrichment

Updated: 2026-01-07T16:24:29.724Z

cve-icon NVD

Status : Deferred

Published: 2026-01-07T17:16:04.057

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-22543

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T08:15:15Z

Weaknesses