CVE-2026-22543 identifies a weakness in the EFACEC QC 60/90/120 product line where the authentication credentials for the device's web server are transmitted using base64 encoding within HTTP headers. Base64 encoding is not encryption but merely an encoding scheme, making it trivial for an attacker intercepting network traffic to decode and obtain the plaintext credentials. This vulnerability falls under CWE-261, which concerns weak encoding of sensitive information. The affected product version is 8, and the vulnerability was published on January 7, 2026. The CVSS 4.0 vector indicates an attack vector of adjacent network (AV:A), low attack complexity (AC:L), no privileges required (PR:L), no user interaction (UI:N), and high impact on confidentiality (VC:H) but no impact on integrity or availability. The vulnerability does not require user interaction and can be exploited by an attacker with access to the same network segment as the device. Since the credentials are sent in base64 over HTTP headers, if the communication is not protected by TLS or other encryption, an attacker performing a man-in-the-middle or network sniffing attack can easily decode the credentials and gain unauthorized access to the device's web interface. This could lead to unauthorized configuration changes or further compromise of the network. No patches or exploits are currently reported, but the weakness in credential transmission represents a significant risk if left unmitigated.

For European organizations, the primary impact is the potential compromise of EFACEC QC devices' administrative interfaces, which could lead to unauthorized access and control over critical infrastructure components or industrial control systems where these devices are deployed. This could result in confidentiality breaches, unauthorized configuration changes, and potential disruption of services. Given that EFACEC is a Portuguese company with a strong presence in Portugal and Spain, organizations in these countries are more likely to be affected. The vulnerability's exploitation requires network adjacency, so organizations with poorly segmented networks or exposed management interfaces are at higher risk. The medium severity reflects that while the vulnerability does not directly impact system availability or integrity, the exposure of credentials can lead to further attacks and compromise. The lack of encryption in credential transmission also indicates a broader risk posture issue that could affect compliance with European data protection regulations such as GDPR if sensitive information is exposed.

1. Immediately restrict network access to the EFACEC QC device web interfaces by implementing strict network segmentation and firewall rules to limit access to trusted management networks only. 2. Deploy VPNs or encrypted tunnels (e.g., IPsec, TLS) for all management traffic to ensure credentials are not transmitted in cleartext or easily reversible encoding. 3. Verify and enforce the use of HTTPS with valid certificates on the device web server to protect credentials in transit. 4. Implement strong authentication mechanisms such as multi-factor authentication (MFA) if supported by the device or through external authentication proxies. 5. Regularly monitor network traffic for suspicious activities, including repeated failed login attempts or unusual access patterns to the device management interface. 6. Engage with EFACEC for firmware updates or patches that address this vulnerability and plan for timely deployment once available. 7. Conduct security awareness training for network administrators to recognize the risks of weak credential transmission and enforce best practices. 8. Consider deploying network intrusion detection/prevention systems (IDS/IPS) to detect attempts to intercept or exploit this vulnerability.