Search

Find a vulnerability

Search criteria

    2 vulnerabilities by VEGA Grieshaber

    CVE-2026-3323 (GCVE-0-2026-3323)

    Vulnerability from nvd – Published: 2026-04-28 10:24 – Updated: 2026-04-28 12:11
    VLAI
    Title
    VEGA: Privilege escalation through unsecured configuration interface in VEGAPULS devices
    Summary
    An unsecured configuration interface on affected devices allows unauthenticated remote attackers to access sensitive information, including hashed credentials and access codes.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-306 - Missing Authentication for Critical Function
    Assigner
    References
    Date Public
    2026-04-22 10:00
    Credits
    Product Security Unit at VEGA Grieshaber KG
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-3323",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-28T12:10:38.211626Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-28T12:11:34.980Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "VEGAPULS 6X Two-wire PROFINET, Modbus TCP, OPC UA (Ethernet-APL)",
              "vendor": "VEGA Grieshaber",
              "versions": [
                {
                  "status": "affected",
                  "version": "1.0.0"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "VEGAPULS 6X Two-wire PROFINET, Modbus TCP, OPC UA (Ethernet-APL)",
              "vendor": "VEGA Grieshaber",
              "versions": [
                {
                  "status": "affected",
                  "version": "1.1.0"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:o:vega:vegapuls6x_pn_firmware:1.0.0:*:*:*:*:*:*:*",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                },
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:o:vega:vegapuls6x_pn_firmware:1.1.0:*:*:*:*:*:*:*",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ],
              "operator": "OR"
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "user": "00000000-0000-4000-9000-000000000000",
              "value": "Product Security Unit at VEGA Grieshaber KG"
            }
          ],
          "datePublic": "2026-04-22T10:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "An unsecured configuration interface on affected devices allows unauthenticated remote attackers to access sensitive information, including hashed credentials and access codes.\u003cbr\u003e"
                }
              ],
              "value": "An unsecured configuration interface on affected devices allows unauthenticated remote attackers to access sensitive information, including hashed credentials and access codes."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-306",
                  "description": "CWE-306 Missing Authentication for Critical Function",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-28T10:24:19.411Z",
            "orgId": "270ccfa6-a436-4e77-922e-914ec3a9685c",
            "shortName": "CERTVDE"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://certvde.com/en/advisories/VDE-2026-016"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://vega.csaf-tp.certvde.com/.well-known/csaf/white/2026/vde-2026-016.json"
            }
          ],
          "source": {
            "advisory": "VDE-2026-016",
            "defect": [
              "CERT@VDE#641966"
            ],
            "discovery": "INTERNAL"
          },
          "title": "VEGA: Privilege escalation through unsecured configuration interface in VEGAPULS devices",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "270ccfa6-a436-4e77-922e-914ec3a9685c",
        "assignerShortName": "CERTVDE",
        "cveId": "CVE-2026-3323",
        "datePublished": "2026-04-28T10:24:19.411Z",
        "dateReserved": "2026-02-27T11:10:05.931Z",
        "dateUpdated": "2026-04-28T12:11:34.980Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-3323 (GCVE-0-2026-3323)

    Vulnerability from cvelistv5 – Published: 2026-04-28 10:24 – Updated: 2026-04-28 12:11
    VLAI
    Title
    VEGA: Privilege escalation through unsecured configuration interface in VEGAPULS devices
    Summary
    An unsecured configuration interface on affected devices allows unauthenticated remote attackers to access sensitive information, including hashed credentials and access codes.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-306 - Missing Authentication for Critical Function
    Assigner
    References
    Date Public
    2026-04-22 10:00
    Credits
    Product Security Unit at VEGA Grieshaber KG
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-3323",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-28T12:10:38.211626Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-28T12:11:34.980Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "VEGAPULS 6X Two-wire PROFINET, Modbus TCP, OPC UA (Ethernet-APL)",
              "vendor": "VEGA Grieshaber",
              "versions": [
                {
                  "status": "affected",
                  "version": "1.0.0"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "VEGAPULS 6X Two-wire PROFINET, Modbus TCP, OPC UA (Ethernet-APL)",
              "vendor": "VEGA Grieshaber",
              "versions": [
                {
                  "status": "affected",
                  "version": "1.1.0"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:o:vega:vegapuls6x_pn_firmware:1.0.0:*:*:*:*:*:*:*",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                },
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:o:vega:vegapuls6x_pn_firmware:1.1.0:*:*:*:*:*:*:*",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ],
              "operator": "OR"
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "user": "00000000-0000-4000-9000-000000000000",
              "value": "Product Security Unit at VEGA Grieshaber KG"
            }
          ],
          "datePublic": "2026-04-22T10:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "An unsecured configuration interface on affected devices allows unauthenticated remote attackers to access sensitive information, including hashed credentials and access codes.\u003cbr\u003e"
                }
              ],
              "value": "An unsecured configuration interface on affected devices allows unauthenticated remote attackers to access sensitive information, including hashed credentials and access codes."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-306",
                  "description": "CWE-306 Missing Authentication for Critical Function",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-28T10:24:19.411Z",
            "orgId": "270ccfa6-a436-4e77-922e-914ec3a9685c",
            "shortName": "CERTVDE"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://certvde.com/en/advisories/VDE-2026-016"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://vega.csaf-tp.certvde.com/.well-known/csaf/white/2026/vde-2026-016.json"
            }
          ],
          "source": {
            "advisory": "VDE-2026-016",
            "defect": [
              "CERT@VDE#641966"
            ],
            "discovery": "INTERNAL"
          },
          "title": "VEGA: Privilege escalation through unsecured configuration interface in VEGAPULS devices",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "270ccfa6-a436-4e77-922e-914ec3a9685c",
        "assignerShortName": "CERTVDE",
        "cveId": "CVE-2026-3323",
        "datePublished": "2026-04-28T10:24:19.411Z",
        "dateReserved": "2026-02-27T11:10:05.931Z",
        "dateUpdated": "2026-04-28T12:11:34.980Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }