CVE-2026-22906 identifies a severe cryptographic vulnerability in the WAGO 0852-1322 industrial automation device. The device stores user credentials encrypted with AES in ECB mode using a hardcoded cryptographic key embedded in the firmware. AES-ECB mode is inherently insecure for encrypting multiple blocks of data because it does not use an initialization vector, leading to pattern leakage. The use of a hardcoded key further exacerbates the issue, as an attacker who obtains the configuration file can decrypt the stored credentials without needing to guess or brute-force the key. The vulnerability allows unauthenticated remote attackers to retrieve the configuration file, which contains the encrypted credentials. Once decrypted, attackers gain access to plaintext usernames and passwords, enabling them to bypass authentication mechanisms and potentially take full control of the device. This compromises confidentiality (exposure of credentials), integrity (potential unauthorized configuration changes), and availability (disruption or control of device operations). The CVSS v3.1 score of 9.8 reflects the vulnerability’s critical nature, with network attack vector, no required privileges or user interaction, and full impact on confidentiality, integrity, and availability. No patches are currently available, and no exploits have been reported in the wild, but the risk is high given the ease of exploitation and the critical role of these devices in industrial environments.

For European organizations, especially those in industrial automation, manufacturing, and critical infrastructure sectors, this vulnerability poses a significant threat. Compromise of WAGO 0852-1322 devices can lead to unauthorized access to control systems, potentially causing operational disruptions, safety hazards, and data breaches. Attackers could manipulate device configurations, disrupt industrial processes, or use compromised devices as pivot points for further network intrusion. The exposure of plaintext credentials undermines trust in device security and may lead to broader network compromise. Given the critical nature of industrial control systems in Europe’s energy, manufacturing, and transportation sectors, exploitation could have cascading effects on national infrastructure and economic stability. The lack of authentication requirements and ease of remote exploitation increase the urgency for affected organizations to act swiftly.

Organizations should immediately restrict access to configuration files by implementing strict network segmentation and access controls limiting who can retrieve device configurations. Employ network monitoring to detect unusual access patterns or attempts to download configuration files. Use VPNs or secure management channels to access devices remotely. Since no patches are currently available, consider deploying compensating controls such as disabling remote configuration retrieval if possible or isolating vulnerable devices from external networks. Engage with WAGO for updates and apply patches promptly once released. Conduct thorough audits of device configurations and credentials, and rotate passwords after remediation. Implement intrusion detection systems tailored for industrial control networks to identify exploitation attempts. Train staff on the risks associated with hardcoded keys and insecure encryption practices to improve overall security posture.