CVE-2026-22910
Published: 15 January 2026
Summary
CVE-2026-22910 is a high-severity Use of Weak Credentials (CWE-1391) vulnerability in Sick Tdc-X401Gl Firmware. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Default Accounts (T1078.001); ranked at the 34.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and IA-5 (Authenticator Management).
Deeper analysis
CVE-2026-22910 is a vulnerability in certain SICK devices deployed with weak and publicly known default passwords for hidden user levels, increasing the risk of unauthorized access and representing a high risk to system integrity. Published on 2026-01-15, it carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) and maps to CWE-1391.
A remote attacker requires only network access and no privileges or user interaction to exploit this vulnerability by authenticating with the publicly known default credentials for the hidden user levels. Successful exploitation results in high confidentiality impact, potentially allowing disclosure of sensitive system information.
Mitigation guidance is provided in SICK's PSIRT advisory at https://sick.com/psirt and the associated CSAF documents SCA-2026-0001 at https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.json and https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.pdf. CISA ICS recommended practices are available at https://www.cisa.gov/resources-tools/resources/ics-recommended-practices, and the CVSS calculator is at https://www.first.org/cvss/calculator/3.1.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-2809
Vulnerability details
The device is deployed with weak and publicly known default passwords for certain hidden user levels, increasing the risk of unauthorized access. This represents a high risk to the integrity of the system.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Directly enables initial access via publicly known default credentials on hidden accounts (T1078.001).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires changing default authenticators prior to first use, preventing exploitation of weak and publicly known default passwords for hidden user levels.
Enforces secure configuration settings that prohibit deployment with weak default credentials, addressing the insecure factory configurations in affected SICK devices.
Account management processes ensure hidden or unnecessary user accounts are identified, disabled, or provisioned with strong authenticators to mitigate unauthorized access risks.