Skip to main content

Openplc V3 EUVDEUVD-2026-21041

| CVE-2026-35556 CRITICAL
Plaintext Storage of a Password (CWE-256)
2026-04-09 icscert GHSA-xgm5-hf6v-855x
9.2
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
9.2 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
Re-analysis Queued
Apr 16, 2026 - 20:52 vuln.today
cvss_changed
EUVD ID Assigned
Apr 09, 2026 - 19:15 euvd
EUVD-2026-21041
Analysis Generated
Apr 09, 2026 - 19:15 vuln.today
CVE Published
Apr 09, 2026 - 18:57 nvd
CRITICAL 9.2

DescriptionCVE.org

OpenPLC_V3 is vulnerable to a Plaintext Storage of a Password vulnerability that could allow an attacker to retrieve credentials and access sensitive information.

AnalysisAI

Plaintext credential storage in OpenPLC_V3 enables network-based attackers to retrieve authentication credentials without requiring prior authentication or user interaction, leading to complete system compromise. The CVSS v4.0 score of 9.2 reflects critical-severity risk from network-accessible credential exposure affecting confidentiality and integrity across all OpenPLC_V3 deployments. No public exploit identified at time of analysis.

Technical ContextAI

CWE-256 plaintext password storage vulnerability in OpenPLC_V3 exposes credentials through insecure storage mechanisms accessible via network vectors (AV:N). Attack complexity is low (AC:L) with no authentication barrier (PR:N), allowing direct credential retrieval from storage locations without cryptographic protection.

RemediationAI

Immediately implement credential encryption for all stored passwords using industry-standard hashing algorithms (bcrypt, Argon2) with appropriate salt values. Review CISA ICS Advisory ICSA-25-345-10 for vendor-specific remediation guidance at https://www.cisa.gov/news-events/ics-advisories/icsa-25-345-10. No vendor-released patch identified at time of analysis. Interim mitigations: restrict network access to OpenPLC_V3 management interfaces through firewall rules permitting only trusted IP ranges, implement network segmentation isolating industrial control systems from general networks, enforce principle of least privilege for system access, rotate all existing credentials immediately, and monitor authentication logs for unauthorized access attempts.

Share

EUVD-2026-21041 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy