Cyber Resilience

CVE-2026-35556

Critical

Published: 09 April 2026

Published
09 April 2026
Modified
16 April 2026
KEV Added
Patch
CVSS Score v4 9.2 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0030 21.2th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-35556 is a critical-severity Plaintext Storage of a Password (CWE-256) vulnerability in Openplcproject Openplc V3 Firmware. Its CVSS base score is 9.2 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Unsecured Credentials (T1552); ranked at the 21.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SC-28 (Protection of Information at Rest).

Deeper analysis

CVE-2026-35556 is a Plaintext Storage of a Password vulnerability (CWE-256) in OpenPLC_V3, published on 2026-04-09. The issue enables attackers to retrieve credentials stored in plaintext, potentially granting access to sensitive information. It carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact with network accessibility and low attack complexity.

An unauthenticated attacker (PR:N) can exploit this vulnerability remotely over the network (AV:N) without requiring user interaction (UI:N). Exploitation involves accessing the affected component to extract plaintext credentials, allowing unauthorized disclosure of sensitive information (C:H) while leaving integrity and availability unaffected.

The CISA ICS Advisory ICSA-25-345-10 provides further details on this vulnerability, including potential mitigation steps, at https://www.cisa.gov/news-events/ics-advisories/icsa-25-345-10.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

OpenPLC_V3 is vulnerable to a Plaintext Storage of a Password vulnerability that could allow an attacker to retrieve credentials and access sensitive information.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1552 Unsecured Credentials Credential Access
Adversaries may search compromised systems to find and obtain insecurely stored credentials.
Why these techniques?

The vulnerability is explicitly plaintext storage of passwords (CWE-256), directly enabling retrieval of unsecured credentials as described in T1552 Unsecured Credentials.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-35063Same product: Openplcproject Openplc V3
CVE-2025-27656Shared CWE-256
CVE-2024-10334Shared CWE-256
CVE-2025-27662Shared CWE-256
CVE-2026-33216Shared CWE-256
CVE-2021-47961Shared CWE-256
CVE-2024-41336Shared CWE-256
CVE-2025-21102Shared CWE-256
CVE-2025-36258Shared CWE-256
CVE-2024-55026Shared CWE-256

Affected Assets

openplcproject
openplc v3 firmware
all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires cryptographic mechanisms to protect confidentiality of sensitive information at rest, directly preventing retrieval of plaintext-stored passwords.

prevent

Mandates protection of authenticators like passwords during storage commensurate with the sensitivity of protected information.

prevent

Requires timely identification, reporting, and correction of flaws such as plaintext password storage in this specific CVE.

References