CVE-2026-22911 identifies a vulnerability in the SICK AG TDC-X401GL device firmware, where update files inadvertently expose password hashes for system accounts. This exposure is classified under CWE-798, indicating the use of hard-coded credentials or insecure credential storage. The vulnerability allows a remote attacker to obtain these password hashes without any authentication or user interaction, as indicated by the CVSS vector (AV:N/AC:L/PR:N/UI:N). Once the attacker recovers the credentials, they can gain unauthorized access to the device, potentially compromising sensitive information or device configuration. The vulnerability affects all versions of the product, and although no public exploits have been reported, the presence of exposed hashes significantly lowers the barrier for exploitation. The CVSS score of 5.3 reflects a medium severity, primarily due to the impact on confidentiality without affecting integrity or availability. The device is typically used in industrial or automation contexts, where unauthorized access could lead to operational risks or data leakage. The lack of available patches at the time of publication necessitates immediate mitigation efforts by users.

For European organizations, the exposure of password hashes in the TDC-X401GL devices can lead to unauthorized access to critical industrial control systems or automation infrastructure. This unauthorized access could result in the leakage of sensitive operational data or intellectual property, undermining confidentiality. Although the vulnerability does not directly affect system integrity or availability, attackers gaining access could potentially perform further malicious actions, including reconnaissance or lateral movement within the network. Given the device's role in industrial environments, such unauthorized access could indirectly impact operational continuity or safety if attackers manipulate device settings or configurations. The medium severity rating suggests a moderate risk, but the potential for escalation or combined attacks increases the threat level. European industries reliant on automation and industrial sensors, such as manufacturing, logistics, and energy sectors, are particularly at risk.

Organizations should immediately audit their deployment of SICK AG TDC-X401GL devices to identify affected units. Since no patches are currently available, mitigating exposure involves restricting network access to these devices, ideally isolating them within segmented industrial networks with strict access controls. Implement network-level protections such as firewalls and intrusion detection systems to monitor and block unauthorized attempts to access firmware update files. Employ strong credential management practices, including changing default or hard-coded passwords where possible and using multi-factor authentication for device management interfaces. Regularly monitor device logs for suspicious access patterns. Engage with SICK AG for updates on patches or firmware revisions addressing this vulnerability. Additionally, consider deploying network anomaly detection solutions tailored for industrial control systems to detect potential exploitation attempts early.