CVE-2026-22920 - Vulnerability Details

Description

This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

Published: 2026-01-15

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The device stores passwords without adequate salting, creating a weakness that allows an attacker to extract and recover those passwords. This vulnerability can lead to compromise of device credentials, providing unauthorized access to device configuration, monitoring data, and potentially related network resources. The weakness is classified as CWE-1391, which identifies the use of cryptographic keys or password hashing functions with insufficient salting.

Affected Systems

The vulnerability affects all SICK AG TDC‑X401GL devices. No specific firmware or hardware revision information is included in the advisory, so all current units should be considered at risk until a corrective update is applied.

Risk and Exploitability

The CVSS base score of 3.7 indicates a low severity impact. The EPSS score of less than 1% suggests that the likelihood of exploitation is very low at present. The vulnerability is not listed in the CISA KEV catalog, further reducing the probability of widespread exploitation. Based on the description, it is inferred that an attacker who can authenticate to the device or gain access through available interfaces could attempt to extract stored passwords. No specific remote attack vector is documented, so the risk to remote users is likely minimal unless additional network exposure exists.

No data.

Vendor	Product	Confidence	Versions
Sick Ag	Tdc-x401gl	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Deactivate AppEngine immediately after initial device setup as the vendor recommends
Apply any available firmware update that addresses password salting weaknesses
After deactivation, reset all device passwords to secure, unique values

Generated by OpenCVE AI on April 18, 2026 at 06:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

No reference.

History

Tue, 12 May 2026 09:30:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-1391
CPEs	cpe:2.3:h:sick:tdc-x401gl:-:::::::* cpe:2.3:o:sick:tdc-x401gl_firmware::::::::
Vendors & Products	Sick Sick tdc-x401gl Sick tdc-x401gl Firmware
References	https://sick.com/psirt https://www.cisa.gov/resources-tools/resources/ics-recommended-practices https://www.first.org/cvss/calculator/3.1 https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.json https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.pdf https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf
Metrics	cvssV3_1 `{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N'}`

Tue, 12 May 2026 09:15:00 +0000

Type	Values Removed	Values Added
Metrics	ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 12 May 2026 08:30:00 +0000

Type	Values Removed	Values Added
Description	The device's passwords have not been adequately salted, making them vulnerable to password extraction attacks.	This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

Sat, 18 Apr 2026 06:30:00 +0000

Type	Values Removed	Values Added
Title		Password Salting Weakness in SICK TDC‑X401GL Device

Fri, 23 Jan 2026 18:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Sick Sick tdc-x401gl Sick tdc-x401gl Firmware
CPEs		cpe:2.3:h:sick:tdc-x401gl:-:::::::* cpe:2.3:o:sick:tdc-x401gl_firmware::::::::
Vendors & Products		Sick Sick tdc-x401gl Sick tdc-x401gl Firmware

Fri, 16 Jan 2026 14:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Sick Ag Sick Ag tdc-x401gl
Vendors & Products		Sick Ag Sick Ag tdc-x401gl

Thu, 15 Jan 2026 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 15 Jan 2026 13:15:00 +0000

Type	Values Removed	Values Added
Description		The device's passwords have not been adequately salted, making them vulnerable to password extraction attacks.
Weaknesses		CWE-1391
References		https://sick.com/psirt https://www.cisa.gov/resources-tools/resources/ics-recommended-practices https://www.first.org/cvss/calculator/3.1 https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.json https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.pdf https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf
Metrics		cvssV3_1 `{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N'}`

Subscriptions

Sick Ag Tdc-x401gl

MITRE

Status: REJECTED

Assigner: SICK AG

Published: 2026-01-15T13:09:04.276Z

Updated: 2026-05-12T07:30:49.900Z

Reserved: 2026-01-13T09:11:12.759Z

Link: CVE-2026-22920

Vulnrichment

Updated:

NVD

Status : Rejected

Published: 2026-01-15T13:16:07.063

Modified: 2026-05-12T09:16:18.200

Link: CVE-2026-22920

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-18T06:15:15Z

Weaknesses

No weakness.

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object