Skip to main content

CVE-2026-22906

CRITICAL
Use of Hard-coded Cryptographic Key (CWE-321)
2026-02-09 info@cert.vde.com
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Mar 12, 2026 - 21:54 vuln.today
CVE Published
Feb 09, 2026 - 08:16 nvd
CRITICAL 9.8

DescriptionCVE.org

User credentials are stored using AES‑ECB encryption with a hardcoded key. An unauthenticated remote attacker obtaining the configuration file can decrypt and recover plaintext usernames and passwords, especially when combined with the authentication bypass.

AnalysisAI

A device stores user credentials using AES-ECB encryption with a hard-coded key, allowing any attacker to decrypt all stored passwords.

Technical ContextAI

CWE-321 hard-coded cryptographic key used with AES-ECB mode (which doesn't hide patterns) for credential storage. Any attacker can extract and decrypt all credentials.

Affected ProductsAI

Affected device

RemediationAI

Apply firmware update. Use proper key management and AES-GCM or AES-CBC instead of ECB.

Share

CVE-2026-22906 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy