Description
The device is deployed with weak and publicly known default passwords for certain hidden user levels, increasing the risk of unauthorized access. This represents a high risk to the integrity of the system.
Published: 2026-01-15
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Access via Weak Default Passwords
Action: Apply Workaround
AI Analysis

Impact

The vulnerability resides in the use of weak, publicly known default passwords for hidden user accounts on the SICK AG TDC‑X401GL device. This flaw allows an attacker to gain unauthorized access to privileged system functions, potentially modifying configurations or breaching the integrity of the device. The weakness is classified as CWE‑1391, a credential management issue that can lead to privilege escalation within the device’s administrative scope.

Affected Systems

The TDC‑X401GL model from SICK AG is affected. No specific firmware versions are listed, so all versions of the product with the default credentials remain susceptible until a patch or firmware update is applied.

Risk and Exploitability

The CVSS score of 7.5 indicates high severity, yet the EPSS score is below 1% and the vulnerability is not currently present in CISA’s KEV catalog, suggesting a low likelihood of exploitation. The likely attack vector involves remote credential theft or brute‑force using known default passwords, which does not require local access. Since no official patch is available, the only viable mitigation relies on the vendor-specified workaround. The risk level is therefore moderate, dependent on the presence of exposed default credentials.

Generated by OpenCVE AI on April 18, 2026 at 16:13 UTC.

Remediation

Vendor Workaround

Upon completion of the initial device setup, deactivate AppEngine. Disabling it fully mitigates this vulnerability.

OpenCVE Recommended Actions

  • Deactivate AppEngine after the initial device setup to disable the exposed credential channel, following the vendor’s recommendation.
  • Change all default hidden user level passwords to strong, unique credentials immediately after device provisioning.
  • Monitor the vendor website for firmware updates or security patches addressing the default password issue, and apply the update promptly when available.

Generated by OpenCVE AI on April 18, 2026 at 16:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 18 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Title Weak Default Passwords Enable Unauthorized Access on SICK AG TDC-X401GL

Fri, 23 Jan 2026 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Sick
Sick tdc-x401gl
Sick tdc-x401gl Firmware
CPEs cpe:2.3:h:sick:tdc-x401gl:-:*:*:*:*:*:*:*
cpe:2.3:o:sick:tdc-x401gl_firmware:*:*:*:*:*:*:*:*
Vendors & Products Sick
Sick tdc-x401gl
Sick tdc-x401gl Firmware

Fri, 16 Jan 2026 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Sick Ag
Sick Ag tdc-x401gl
Vendors & Products Sick Ag
Sick Ag tdc-x401gl

Thu, 15 Jan 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 15 Jan 2026 13:15:00 +0000

Type Values Removed Values Added
Description The device is deployed with weak and publicly known default passwords for certain hidden user levels, increasing the risk of unauthorized access. This represents a high risk to the integrity of the system.
Weaknesses CWE-1391
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Sick Tdc-x401gl Tdc-x401gl Firmware
Sick Ag Tdc-x401gl
cve-icon MITRE

Status: PUBLISHED

Assigner: SICK AG

Published:

Updated: 2026-01-15T14:40:17.107Z

Reserved: 2026-01-13T09:11:11.447Z

Link: CVE-2026-22910

cve-icon Vulnrichment

Updated: 2026-01-15T14:40:12.702Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-15T13:16:05.673

Modified: 2026-01-23T15:45:28.423

Link: CVE-2026-22910

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T16:15:04Z

Weaknesses