Description
The underlying PLC of the device can be remotely influenced, without proper safeguards or authentication.
Published: 2026-02-20
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Unauthorized Control
Action: Assess Impact
AI Analysis

Impact

The vulnerability stems from missing authentication on a critical function of the PLC, allowing a remote actor to influence the device’s internal logic without proper safeguards. Because the flaw is a lack of authentication (CWE-306), an attacker could trigger or manipulate these functions, potentially altering device behavior and undermining safety or security operations. The impact is primarily on integrity and availability of the system’s normal functioning.

Affected Systems

Welker’s OdorEyes EcoSystem Pulse Bypass System with XL4 Controller is affected. Version details are not provided in the advisory, so all deployed units of this device are presumed vulnerable unless verified as patched.

Risk and Exploitability

The advisory lists a CVSS base score of 8.2, indicating high severity, but the EPSS is reported as less than 1 %, signifying a low probability of exploitation in the wild. The vulnerability is not currently in CISA’s KEV catalog. The likely attack vector is remote, inferred from the statement that the PLC can be “remotely influenced.” Exploitation would require network connectivity to the PLC and an understanding of its exposed interfaces, but no specific authentication or privilege prerequisites are disclosed in the description.

Generated by OpenCVE AI on April 17, 2026 at 17:22 UTC.

Remediation

Vendor Workaround

Welker did not respond to CISA's attempts at coordination. Users of Welker OdorEyes devices are encouraged to contact Welker and keep their systems up to date.

OpenCVE Recommended Actions

  • Apply any available vendor patch or firmware update for the OdorEyes EC System Pulse Bypass controller.
  • If a patch is not yet released, isolate the device at the network perimeter using firewalls or segmentation to restrict inbound access to the PLC ports.
  • Follow the vendor’s recommended guidance: contact Welker, obtain the latest updates, and keep the system’s software current.

Generated by OpenCVE AI on April 17, 2026 at 17:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Welker
Welker odoreyes Ecosystem Pulse Bypass System With Xl4 Controller
Vendors & Products Welker
Welker odoreyes Ecosystem Pulse Bypass System With Xl4 Controller

Fri, 20 Feb 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Feb 2026 16:30:00 +0000

Type Values Removed Values Added
Description The underlying PLC of the device can be remotely influenced, without proper safeguards or authentication.
Title Welker OdorEyes EcoSystem Pulse Bypass System with XL4 Controller Missing Authentication for Critical Function
Weaknesses CWE-306
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L'}

Subscriptions

Welker Odoreyes Ecosystem Pulse Bypass System With Xl4 Controller
cve-icon MITRE

Status: PUBLISHED

Assigner: icscert

Published:

Updated: 2026-02-20T18:59:34.973Z

Reserved: 2026-02-05T19:05:16.840Z

Link: CVE-2026-24790

cve-icon Vulnrichment

Updated: 2026-02-20T18:59:25.728Z

cve-icon NVD

Status : Deferred

Published: 2026-02-20T17:25:51.313

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-24790

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T17:30:23Z

Weaknesses