Cyber Posture

CVE-2026-22906

Critical

Published: 09 February 2026

Published
09 February 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0006 20.1th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-22906 is a critical-severity Use of Hard-coded Cryptographic Key (CWE-321) vulnerability in Certvde (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Credentials In Files (T1552.001); ranked at the 20.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SC-12 (Cryptographic Key Establishment and Management).

Threat & Defense at a Glance

What attackers do: exploitation maps to Credentials In Files (T1552.001). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SC-28 Protection of Information at Rest good match
prevent

Requires FIPS-validated cryptographic mechanisms to protect confidentiality of information at rest, such as user credentials in configuration files, preventing weak AES-ECB encryption.

IA-5 Authenticator Management good match
prevent

Mandates secure management and protection of authenticators like usernames and passwords during storage, directly addressing improper credential storage in configuration files.

SC-12 Cryptographic Key Establishment and Management good match
prevent

Establishes and manages cryptographic keys securely without hardcoding, countering the use of hardcoded keys for decrypting stored credentials.

MITRE ATT&CK Enterprise TechniquesAI

T1552.001 Credentials In Files Credential Access
Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.
attack.mitre.org →
Why these techniques?

Hardcoded AES key for credentials in config file directly enables plaintext recovery from obtained files (T1552.001).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

User credentials are stored using AES‑ECB encryption with a hardcoded key. An unauthenticated remote attacker obtaining the configuration file can decrypt and recover plaintext usernames and passwords, especially when combined with the authentication bypass.

Deeper analysisAI

CVE-2026-22906 is a critical vulnerability (CVSS score 9.8, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) involving the storage of user credentials using AES-ECB encryption with a hardcoded key in a configuration file. This flaw, classified under CWE-321 (Use of Hard-coded Cryptographic Key), affects the software or component where the configuration file is used for authentication, allowing straightforward decryption of sensitive data. The issue was publicly disclosed on 2026-02-09.

An unauthenticated remote attacker can exploit this vulnerability by obtaining the configuration file, enabling them to decrypt and recover plaintext usernames and passwords. The impact is amplified when combined with an authentication bypass, potentially granting full unauthorized access to the system, as indicated by the high confidentiality, integrity, and availability impacts in the CVSS vector.

Mitigation details are outlined in the advisory at https://certvde.com/de/advisories/VDE-2026-004.

Details

CWE(s)
CWE-321

Affected Products

Certvde
inferred from references and description; NVD did not file a CPE for this CVE

CVEs Like This One

CVE-2024-52881Shared CWE-321
CVE-2025-59407Shared CWE-321
CVE-2024-33504Shared CWE-321
CVE-2026-32324Shared CWE-321
CVE-2025-15016Shared CWE-321
CVE-2025-8625Shared CWE-321
CVE-2025-55619Shared CWE-321
CVE-2025-34256Shared CWE-321
CVE-2025-27674Shared CWE-321
CVE-2025-14923Shared CWE-321

References