{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22920", "assignerOrgId": "a6863dd2-93fc-443d-bef1-79f0b5020988", "state": "REJECTED", "assignerShortName": "SICK AG", "dateReserved": "2026-01-13T09:11:12.759Z", "datePublished": "2026-01-15T13:09:04.276Z", "dateUpdated": "2026-05-12T07:30:49.900Z", "dateRejected": "2026-05-12T07:30:49.900Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "a6863dd2-93fc-443d-bef1-79f0b5020988", "shortName": "SICK AG", "dateUpdated": "2026-05-12T07:30:49.900Z"}, "rejectedReasons": [{"lang": "en", "value": "This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "This CVE ID has been rejected or withdrawn by its CVE Numbering Authority."}]}], "x_generator": {"engine": "Vulnogram 1.0.2"}}}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22920", "assignerOrgId": "a6863dd2-93fc-443d-bef1-79f0b5020988", "state": "REJECTED", "assignerShortName": "SICK AG", "dateReserved": "2026-01-13T09:11:12.759Z", "datePublished": "2026-01-15T13:09:04.276Z", "dateUpdated": "2026-05-12T07:30:49.900Z", "dateRejected": "2026-05-12T07:30:49.900Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "a6863dd2-93fc-443d-bef1-79f0b5020988", "shortName": "SICK AG", "dateUpdated": "2026-05-12T07:30:49.900Z"}, "rejectedReasons": [{"lang": "en", "value": "This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "This CVE ID has been rejected or withdrawn by its CVE Numbering Authority."}]}], "x_generator": {"engine": "Vulnogram 1.0.2"}}}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority."}], "id": "CVE-2026-22920", "lastModified": "2026-05-12T09:16:18.200", "metrics": {}, "published": "2026-01-15T13:16:07.063", "references": [], "sourceIdentifier": "psirt@sick.de", "vulnStatus": "Rejected"}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T06:08:15.214995+00:00", "value": {"mitigation_remediation": ["Deactivate AppEngine immediately after initial device setup as the vendor recommends", "Apply any available firmware update that addresses password salting weaknesses", "After deactivation, reset all device passwords to secure, unique values"], "summary": {"action": "Apply Workaround", "impact": "Credential compromise via unsalted password extraction"}, "threat_synthesis": {"affected_systems": "The vulnerability affects all SICK AG TDC\u2011X401GL devices. No specific firmware or hardware revision information is included in the advisory, so all current units should be considered at risk until a corrective update is applied.", "description_and_impact": "The device stores passwords without adequate salting, creating a weakness that allows an attacker to extract and recover those passwords. This vulnerability can lead to compromise of device credentials, providing unauthorized access to device configuration, monitoring data, and potentially related network resources. The weakness is classified as CWE-1391, which identifies the use of cryptographic keys or password hashing functions with insufficient salting.", "risk_and_exploitability": "The CVSS base score of 3.7 indicates a low severity impact. The EPSS score of less than 1% suggests that the likelihood of exploitation is very low at present. The vulnerability is not listed in the CISA KEV catalog, further reducing the probability of widespread exploitation. Based on the description, it is inferred that an attacker who can authenticate to the device or gain access through available interfaces could attempt to extract stored passwords. No specific remote attack vector is documented, so the risk to remote users is likely minimal unless additional network exposure exists."}}}}, "created": "2026-01-16T14:08:52.412381+00:00", "title": "Password Salting Weakness in SICK TDC\u2011X401GL Device", "updated": "2026-04-18T06:15:15.870165+00:00", "vendors": ["sick_ag", "sick_ag$PRODUCT$tdc-x401gl"]}