Description
The device's passwords have not been adequately salted, making them vulnerable to password extraction attacks.
Published: 2026-01-15
Score: 3.7 Low
EPSS: < 1% Very Low
KEV: No
Impact: Credential compromise via unsalted password extraction
Action: Apply Workaround
AI Analysis

Impact

The device stores passwords without adequate salting, creating a weakness that allows an attacker to extract and recover those passwords. This vulnerability can lead to compromise of device credentials, providing unauthorized access to device configuration, monitoring data, and potentially related network resources. The weakness is classified as CWE-1391, which identifies the use of cryptographic keys or password hashing functions with insufficient salting.

Affected Systems

The vulnerability affects all SICK AG TDC‑X401GL devices. No specific firmware or hardware revision information is included in the advisory, so all current units should be considered at risk until a corrective update is applied.

Risk and Exploitability

The CVSS base score of 3.7 indicates a low severity impact. The EPSS score of less than 1% suggests that the likelihood of exploitation is very low at present. The vulnerability is not listed in the CISA KEV catalog, further reducing the probability of widespread exploitation. Based on the description, it is inferred that an attacker who can authenticate to the device or gain access through available interfaces could attempt to extract stored passwords. No specific remote attack vector is documented, so the risk to remote users is likely minimal unless additional network exposure exists.

Generated by OpenCVE AI on April 18, 2026 at 06:08 UTC.

Remediation

Vendor Workaround

Upon completion of the initial device setup, deactivate AppEngine. Disabling it fully mitigates this vulnerability.

OpenCVE Recommended Actions

  • Deactivate AppEngine immediately after initial device setup as the vendor recommends
  • Apply any available firmware update that addresses password salting weaknesses
  • After deactivation, reset all device passwords to secure, unique values

Generated by OpenCVE AI on April 18, 2026 at 06:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 18 Apr 2026 06:30:00 +0000

Type Values Removed Values Added
Title Password Salting Weakness in SICK TDC‑X401GL Device

Fri, 23 Jan 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Sick
Sick tdc-x401gl
Sick tdc-x401gl Firmware
CPEs cpe:2.3:h:sick:tdc-x401gl:-:*:*:*:*:*:*:*
cpe:2.3:o:sick:tdc-x401gl_firmware:*:*:*:*:*:*:*:*
Vendors & Products Sick
Sick tdc-x401gl
Sick tdc-x401gl Firmware

Fri, 16 Jan 2026 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Sick Ag
Sick Ag tdc-x401gl
Vendors & Products Sick Ag
Sick Ag tdc-x401gl

Thu, 15 Jan 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 15 Jan 2026 13:15:00 +0000

Type Values Removed Values Added
Description The device's passwords have not been adequately salted, making them vulnerable to password extraction attacks.
Weaknesses CWE-1391
References
Metrics cvssV3_1

{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Sick Tdc-x401gl Tdc-x401gl Firmware
Sick Ag Tdc-x401gl
cve-icon MITRE

Status: PUBLISHED

Assigner: SICK AG

Published:

Updated: 2026-01-15T14:32:47.107Z

Reserved: 2026-01-13T09:11:12.759Z

Link: CVE-2026-22920

cve-icon Vulnrichment

Updated: 2026-01-15T14:32:42.620Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-15T13:16:07.063

Modified: 2026-01-23T18:36:58.230

Link: CVE-2026-22920

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T06:15:15Z

Weaknesses