Description
An attacker with a network connection could detect credentials in clear text.
Published: 2026-01-07
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Credential theft via clear‑text transmission
Action: Patch
AI Analysis

Impact

The vulnerability allows an attacker who can observe network traffic to detect credentials transmitted in clear text. This disclosure exposes user authentication information, enabling credential compromise and potential unauthorized access. The weakness aligns with CWE‑319, a clear‑text transmission issue that directly attacks confidentiality.

Affected Systems

The affected product is the EFACEC QC series (models 60, 90, and 120). No specific firmware or software version numbers are provided in the data.

Risk and Exploitability

The CVSS score of 8.7 indicates a high severity due to the loss of confidentiality, while the EPSS score of less than 1% suggests a low but non‑zero likelihood of exploitation. The vulnerability is not currently listed in the CISA KEV catalog. Exploitation requires an attacker with direct network connectivity to the device, typically via a man‑in‑the‑middle position or insider access, to capture the clear‑text credentials as they are exchanged. Proper network segmentation and the use of encrypted channels would mitigate the exploitation vector.

Generated by OpenCVE AI on April 18, 2026 at 08:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the EFACEC QC firmware to a version that encrypts credential transmission (check the vendor’s release notes for the fix).
  • Reconfigure the system to use TLS or another secure authentication protocol, thereby preventing clear‑text credential exchange.
  • Implement network monitoring or intrusion detection to alert on the presence of clear‑text credential traffic, and block or quarantine such connections.

Generated by OpenCVE AI on April 18, 2026 at 08:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://cds.thalesgroup.com/en cve-icon cve-icon
History

Wed, 07 Jan 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 07 Jan 2026 16:30:00 +0000

Type Values Removed Values Added
Description An attacker with a network connection could detect credentials in clear text.
Title EXCHANGE OF CREDENTIALS IN CLEAR TEXT
Weaknesses CWE-319
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: S21sec

Published:

Updated: 2026-01-07T16:38:40.422Z

Reserved: 2026-01-07T14:01:04.829Z

Link: CVE-2026-22544

cve-icon Vulnrichment

Updated: 2026-01-07T16:38:08.886Z

cve-icon NVD

Status : Deferred

Published: 2026-01-07T17:16:04.207

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-22544

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T08:15:15Z

Weaknesses