Description
User credentials are stored using AES‑ECB encryption with a hardcoded key. An unauthenticated remote attacker obtaining the configuration file can decrypt and recover plaintext usernames and passwords, especially when combined with the authentication bypass.
Published: 2026-02-09
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Credential Disclosure
Action: Immediate Patch
AI Analysis

Impact

The vulnerability arises from the use of AES‑ECB mode with a hardcoded key to encrypt user credentials stored in the configuration file. Because the key is fixed and publicly known, an attacker who obtains the file can decrypt it and recover plaintext usernames and passwords. When the same device also has an authentication bypass that permits unauthenticated access, the attacker can combine these weaknesses to compromise the device's identity layer.

Affected Systems

The affected devices are WAGO industrial automation controllers with product identifiers 0852‑1322 and 0852‑1328. These models ship with the described configuration storage mechanism and are susceptible to the credential disclosure flaw.

Risk and Exploitability

The CVSS score of 9.8 indicates a critical impact, while the EPSS score of less than 1% suggests a low probability of exploitation today, though the vulnerability remains present. The flaw is not listed in KEV, but attackers can target the devices by remotely downloading the configuration file—an operation that is possible when the device's network interface allows unauthenticated access—then applying the known hardcoded key to decrypt credentials. If the device also suffers from the authentication bypass, the attacker can gain full control without first authenticating.

Generated by OpenCVE AI on April 17, 2026 at 21:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the device to the latest firmware that eliminates the hardcoded AES‑ECB key and implements secure key generation or key derivation mechanisms.
  • If a firmware update is not yet available, immediately disable remote access to the configuration file and restrict any network access to the device to trusted, isolated segments only.
  • Change all default or existing usernames and passwords on the affected devices and enable any available multifactor authentication or stricter access controls.

Generated by OpenCVE AI on April 17, 2026 at 21:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 10 Feb 2026 12:45:00 +0000

Type Values Removed Values Added
First Time appeared Wago
Wago 0852-1322
Wago 0852-1328
Vendors & Products Wago
Wago 0852-1322
Wago 0852-1328

Mon, 09 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 09 Feb 2026 08:00:00 +0000

Type Values Removed Values Added
Description User credentials are stored using AES‑ECB encryption with a hardcoded key. An unauthenticated remote attacker obtaining the configuration file can decrypt and recover plaintext usernames and passwords, especially when combined with the authentication bypass.
Title Hardcoded Key Allows Credential Disclosure
Weaknesses CWE-321
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Wago 0852-1322 0852-1328
cve-icon MITRE

Status: PUBLISHED

Assigner: CERTVDE

Published:

Updated: 2026-02-09T15:31:17.549Z

Reserved: 2026-01-13T08:33:25.684Z

Link: CVE-2026-22906

cve-icon Vulnrichment

Updated: 2026-02-09T15:30:59.187Z

cve-icon NVD

Status : Deferred

Published: 2026-02-09T08:16:11.723

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-22906

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T21:45:28Z

Weaknesses