User credentials are stored using AES‑ECB encryption with a hardcoded key. An unauthenticated remote attacker obtaining the configuration file can decrypt and recover plaintext usernames and passwords, especially when combined with the authentication bypass.
The application uses the AES algorithm in ECB mode to encrypt credentials; however, the encryption key is hardcoded in the software (CWE-321). This means that anyone who knows the key or can extract it from the application can decrypt any configuration file containing credentials. The vulnerability is particularly dangerous in combination with the possibility of authentication bypass (auth bypass), which allows an attacker to obtain the configuration file without having any permissions. ECB mode additionally does not provide semantic security, which facilitates analysis of encrypted data.
An attacker can recover plaintext usernames and passwords from a stolen configuration file, leading to complete account takeover and loss of confidentiality, integrity, and availability of the system.
Manufacturer patches should be applied in accordance with the references (https://certvde.com/de/advisories/VDE-2026-004). Until the fix is implemented, it is recommended to restrict access to the configuration file and the network where the device operates.
Versions indicated in the manufacturer's references (advisory VDE-2026-004 on certvde.com)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H