CVE-2026-3323 - Vulnerability Details - OpenCVE

An unsecured configuration interface on affected devices allows unauthenticated remote attackers to access sensitive information, including hashed credentials and access codes.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Vega	Vegapuls6x Pn Firmware

No data.

No data.

References

Link	Providers
https://certvde.com/en/advisories/VDE-2026-016
https://vega.csaf-tp.certvde.com/.well-known/csaf/white/2026/vde-2026-016.json

History

Tue, 28 Apr 2026 10:45:00 +0000

Type	Values Removed	Values Added
Description		An unsecured configuration interface on affected devices allows unauthenticated remote attackers to access sensitive information, including hashed credentials and access codes.
Title		VEGA: Privilege escalation through unsecured configuration interface in VEGAPULS devices
First Time appeared		Vega Vega vegapuls6x Pn Firmware
Weaknesses		CWE-306
CPEs		cpe:2.3:o:vega:vegapuls6x_pn_firmware:1.0.0:::::::* cpe:2.3:o:vega:vegapuls6x_pn_firmware:1.1.0:::::::*
Vendors & Products		Vega Vega vegapuls6x Pn Firmware
References		https://certvde.com/en/advisories/VDE-2026-016 https://vega.csaf-tp.certvde.com/.well-known/csaf/white/2026/vde-2026-016.json
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}`

MITRE

Status: PUBLISHED

Assigner: CERTVDE

Published: 2026-04-28T10:24:19.411Z

Updated: 2026-04-28T10:24:19.411Z

Reserved: 2026-02-27T11:10:05.931Z

Link: CVE-2026-3323

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-04-28T11:16:05.967

Modified: 2026-04-28T11:16:05.967

Link: CVE-2026-3323

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3323", "assignerOrgId": "270ccfa6-a436-4e77-922e-914ec3a9685c", "state": "PUBLISHED", "assignerShortName": "CERTVDE", "dateReserved": "2026-02-27T11:10:05.931Z", "datePublished": "2026-04-28T10:24:19.411Z", "dateUpdated": "2026-04-28T10:24:19.411Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "VEGAPULS 6X Two-wire PROFINET, Modbus TCP, OPC UA (Ethernet-APL)", "vendor": "VEGA Grieshaber", "versions": [{"status": "affected", "version": "1.0.0"}]}, {"defaultStatus": "unaffected", "product": "VEGAPULS 6X Two-wire PROFINET, Modbus TCP, OPC UA (Ethernet-APL)", "vendor": "VEGA Grieshaber", "versions": [{"status": "affected", "version": "1.1.0"}]}], "cpeApplicability": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:vega:vegapuls6x_pn_firmware:1.0.0:*:*:*:*:*:*:*", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:vega:vegapuls6x_pn_firmware:1.1.0:*:*:*:*:*:*:*", "vulnerable": true}], "negate": false, "operator": "OR"}], "operator": "OR"}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Product Security Unit at VEGA Grieshaber KG"}], "datePublic": "2026-04-22T10:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "An unsecured configuration interface on affected devices allows unauthenticated remote attackers to access sensitive information, including hashed credentials and access codes.<br>"}], "value": "An unsecured configuration interface on affected devices allows unauthenticated remote attackers to access sensitive information, including hashed credentials and access codes."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-306", "description": "CWE-306 Missing Authentication for Critical Function", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "270ccfa6-a436-4e77-922e-914ec3a9685c", "shortName": "CERTVDE", "dateUpdated": "2026-04-28T10:24:19.411Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://certvde.com/en/advisories/VDE-2026-016"}, {"tags": ["vendor-advisory"], "url": "https://vega.csaf-tp.certvde.com/.well-known/csaf/white/2026/vde-2026-016.json"}], "source": {"advisory": "VDE-2026-016", "defect": ["CERT@VDE#641966"], "discovery": "INTERNAL"}, "title": "VEGA: Privilege escalation through unsecured configuration interface in VEGAPULS devices", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}}}