CVE-2026-22544 is a vulnerability identified in EFACEC QC 60/90/120 devices, specifically version 8, where credentials are transmitted over the network in cleartext. This vulnerability is classified under CWE-319, which pertains to the cleartext transmission of sensitive information. An attacker with network access can passively intercept these credentials without requiring authentication or user interaction, due to the lack of encryption or secure transmission protocols protecting the credential data. The CVSS 4.0 base score of 8.7 reflects the vulnerability's high impact on confidentiality, with no impact on integrity or availability. The attack vector is network-based (AV:N), with low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and high impact on confidentiality (VC:H). The vulnerability affects EFACEC's QC 60/90/120 product line, which is used in various industrial and infrastructure environments. Although no exploits have been reported in the wild yet, the vulnerability poses a significant risk due to the ease of interception and potential for credential compromise, which could lead to unauthorized access or further exploitation. The lack of available patches at the time of publication necessitates immediate mitigation through network controls and monitoring.

The primary impact of CVE-2026-22544 is the compromise of sensitive credentials transmitted in cleartext, leading to a breach of confidentiality. For European organizations, especially those in critical infrastructure sectors such as energy, transportation, and manufacturing where EFACEC QC devices are deployed, this could result in unauthorized access to control systems or administrative interfaces. Such access could facilitate further attacks, including data exfiltration, operational disruption, or sabotage. The vulnerability does not directly affect system integrity or availability but indirectly increases risk by enabling attackers to gain footholds within networks. The ease of exploitation without authentication or user interaction increases the threat level, particularly in environments with insufficient network segmentation or monitoring. The exposure of credentials could also lead to lateral movement within networks, amplifying the potential damage. Organizations relying on these devices must consider the risk of espionage, operational disruption, and compliance violations under European data protection regulations.

1. Immediately segment networks to isolate EFACEC QC 60/90/120 devices from general IT and internet-facing networks to limit attacker access. 2. Employ encrypted VPN tunnels or IPsec to secure all communications to and from the affected devices until patches are available. 3. Monitor network traffic for unencrypted credential transmissions and unusual access patterns using intrusion detection systems (IDS) and network traffic analysis tools. 4. Restrict network access to the devices by implementing strict firewall rules and access control lists (ACLs) allowing only trusted management hosts. 5. Coordinate with EFACEC for timely patch releases and apply updates as soon as they become available. 6. Conduct regular credential audits and enforce strong password policies to reduce the impact of potential credential compromise. 7. Train network and security teams to recognize signs of credential interception and lateral movement. 8. Consider deploying network encryption gateways or proxies if native device encryption cannot be implemented immediately.