CVE-2026-22911
Published: 15 January 2026
Summary
CVE-2026-22911 is a medium-severity Use of Hard-coded Credentials (CWE-798) vulnerability in Sick Tdc-X401Gl Firmware. Its CVSS base score is 5.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Credentials In Files (T1552.001); ranked at the 7.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Protecting authenticator content from unauthorized disclosure and modification while requiring protective controls addresses insufficiently protected credentials.
Enables users to notice when hard-coded credentials have been exploited for unauthorized access.
Training instructs users on protecting credentials from disclosure or unauthorized access.
Security training explicitly warns against hard-coded credentials, lowering their use in systems.
Training records for security awareness and role-based training verify education on credential protection practices, tangibly reducing risks from mishandling or exposing credentials.
Policy and procedures prohibit hard-coded credentials in favor of managed authentication.
External identity providers eliminate the need for hard-coded credentials in applications.
Rules of behavior include credential protection and non-sharing requirements, reducing exposure of insufficiently protected credentials.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Firmware files publicly expose password hashes (unsecured credentials in files); recovered credentials enable use of valid accounts for device access.
NVD Description
Firmware update files may expose password hashes for system accounts, which could allow a remote attacker to recover credentials and gain unauthorized access to the device.
Deeper analysisAI
CVE-2026-22911 affects firmware update files for SICK devices, where the files expose password hashes for system accounts. Published on 2026-01-15, this vulnerability falls under CWE-798 (Use of Hard-coded Credentials) and CWE-522 (Insufficiently Protected Credentials). It carries a CVSS v3.1 base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N), reflecting medium severity with low-impact confidentiality exposure over the network.
A remote attacker requires no privileges or user interaction to exploit this vulnerability. By accessing the publicly available firmware update files, the attacker can extract the exposed password hashes, crack them offline if feasible, and recover credentials for system accounts, enabling unauthorized access to the affected device.
SICK has published mitigation guidance through its PSIRT page at https://sick.com/psirt and detailed advisories in CSAF format, including https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.json and https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.pdf. Additional ICS-focused recommendations are available from CISA at https://www.cisa.gov/resources-tools/resources/ics-recommended-practices.
Details
- CWE(s)