CVE-2026-22906

9.8 CRITICAL

Published 2026-02-09 · Modified 2026-02-09 · Awaiting Analysis

Quick Summary

This is a critical vulnerability where user login credentials are stored insecurely using a weak, hardcoded encryption method. An attacker can easily decrypt these passwords, especially if they also bypass the login system.

Who is affected

Any system using this vulnerable configuration is affected. An unauthenticated remote attacker could steal all user passwords and gain unauthorized access to accounts.

Recommended fix

Immediately replace the hardcoded AES-ECB encryption with a strong, standard method like AES-GCM using a securely generated and managed key. Also, patch the associated authentication bypass flaw.

Technical Description

User credentials are stored using AES‑ECB encryption with a hardcoded key. An unauthenticated remote attacker obtaining the configuration file can decrypt and recover plaintext usernames and passwords, especially when combined with the authentication bypass.

CVSS Details

Attack Vector

NETWORK

Complexity

LOW

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-321

References

https://certvde.com/de/advisories/VDE-2026-004