Insecure generation of SAT access credentials in Ingecon EMS Board

MITRE NVD CVE.ORG JSON API Print: PDF PDF

Summary

CVECVE-2026-8072
StatePUBLISHED
AssignerINCIBE
Source PriorityCVE Program / NVD first with legacy fallback
Published2026-05-12 10:16:48 UTC
Updated2026-05-13 15:36:46 UTC
DescriptionInsecure generation of credentials in the local SAT (Technical Support) access functionality of the Ingecon Sun EMS Board. The vulnerability arose because the secret access credentials were not based on a secure cryptographic scheme, but rather on a weak hashing algorithm, which could allow an attacker to carry out a privilege escalation.

Risk And Classification

Primary CVSS: v4.0 9.2 CRITICAL from [email protected]

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

EPSS: 0.000290000 probability, percentile 0.084460000 (date 2026-05-12)

Problem Types: CWE-327 | CWE-327 CWE-327: Use of a Broken or Risky Cryptographic Algorithm

VersionSourceTypeScoreSeverityVector
4.0[email protected]Secondary9.2CRITICALCVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/C...
4.0CNACVSS9.2CRITICALCVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CVSS v4.0 Breakdown

Attack Vector
Network
Attack Complexity
High
Attack Requirements
None
Privileges Required
None
User Interaction
None
Confidentiality
High
Integrity
High
Availability
High
Sub Conf.
None
Sub Integrity
None
Sub Availability
None

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Vendor Declared Affected Products

SourceVendorProductVersionPlatforms
CNA Ingeteam Ingecon Sun EMS Board affected AAX1055CT custom Not specified
CNA Ingeteam Ingecon Sun EMS Board affected ABU1001_P custom Not specified
CNA Ingeteam Ingecon Sun EMS Board affected ACL1201_B custom Not specified
CNA Ingeteam Ingecon Sun EMS Board affected ACL1200AL custom Not specified
CNA Ingeteam Ingecon Sun EMS Board affected ABH1027_K custom Not specified
CNA Ingeteam Ingecon Sun EMS Board affected ABH1007_Z custom Not specified
CNA Ingeteam Ingecon Sun EMS Board affected ABS1009_L custom Not specified
CNA Ingeteam Ingecon Sun EMS Board affected ABS1005_T custom Not specified
CNA Ingeteam Ingecon Sun EMS Board affected ACB1005_A custom Not specified
CNA Ingeteam Ingecon Sun EMS Board affected AAX1031CN custom Not specified
CNA Ingeteam Ingecon Sun EMS Board unaffected AAX1055CU Not specified
CNA Ingeteam Ingecon Sun EMS Board unaffected ABU1001_Q Not specified
CNA Ingeteam Ingecon Sun EMS Board unaffected ACL1201_C Not specified
CNA Ingeteam Ingecon Sun EMS Board unaffected ACL1200AM Not specified
CNA Ingeteam Ingecon Sun EMS Board unaffected ABH1027_L Not specified
CNA Ingeteam Ingecon Sun EMS Board unaffected ABH1007AA Not specified
CNA Ingeteam Ingecon Sun EMS Board unaffected ABS1009_P Not specified
CNA Ingeteam Ingecon Sun EMS Board unaffected ABS1005_U Not specified
CNA Ingeteam Ingecon Sun EMS Board unaffected ACB1005_C Not specified
CNA Ingeteam Ingecon Sun EMS Board unaffected AAX1031CO Not specified

References

ReferenceSourceLinkTags
www.incibe.es/en/incibe-cert/notices/aviso-sci/insecure-generation-sat-acce... [email protected] www.incibe.es
www.reversemode.com/2026/05/a-practical-analysis-of-cyber-physical.html [email protected] www.reversemode.com
CVE Program record CVE.ORG www.cve.org canonical
NVD vulnerability detail NVD nvd.nist.gov canonical, analysis

Vendor Comments And Credit

Discovery Credit

CNA: Rubén Santamarta (en)

Additional Advisory Data

Solutions

CNA: The risk has been mitigated with the release of a patch applicable to all versions, developed in December 2025. It is recommended that users update to the newer versions.

© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

Free CVE JSON API cve.report/api

CVE.report and Source URL Uptime Status status.cve.report