Back to overview

VEGA: Missing Authentication for critical function in VEGAPULS Air products

VDE-2026-047
Last update
05/04/2026 11:05
Published at
05/04/2026 08:00
Vendor(s)
VEGA Grieshaber KG
External ID
VDE-2026-047
CSAF Document
Download

Summary

Vulnerable components expose sensitive information to unauthorized actors through an unsecured configuration interface. Vulnerable firmware releases contain an unsecured configuration interface that allows retrieval of sensitive information such as hashed credentials.

It was found that users with no or low rights can access information from devices that should not be available to them.

An attacker can use this information to impersonate authorized users.

Impact

An authenticated attacker can obtain sensitive information, potentially enabling authenticated device modification.

Affected Product(s)

Model no. Product name Affected versions
CVE Reference Score
PSA41.*****C*** VEGAPULS Air 41 Cellular (NB-IoT/LTE-M) Firmware < 2.2.1
PSA41.*****N*** VEGAPULS Air 41 Cellular (NB-IoT/LTE-M) + LoRa Firmware < 2.2.1
PSA41.*****L*** VEGAPULS Air 41 LoRa Firmware < 2.2.1
PSA42.*****C*** VEGAPULS Air 42 Cellular (NB-IoT/LTE-M) Firmware < 2.2.1
PSA42.*****N*** VEGAPULS Air 42 Cellular (NB-IoT/LTE-M) + LoRa Firmware < 2.2.1
PSA42.*****L*** VEGAPULS Air 42 LoRa Firmware < 2.2.1

Vulnerabilities

Expand / Collapse all

Published
05/04/2026 11:15
Severity
5.7 CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Weakness
Missing Authentication for Critical Function (CWE-306)
Summary

An unsecured configuration interface on the affected devices allows an authenticated attacker with adjacent access (with Bluetooth) to gain sensitive information like hashed credentials and access codes.

References
cve.org | nvd.nist.gov

Mitigation

Implement access controls for interfaces to prevent unauthorized access.

Remediation

Update to the fixed firmware versions listed in this advisory. Rotate any credentials used on affected devices as they may have been compromised. Contact VEGA Support if emergency code rotation is necessary based on your risk assessment.

Acknowledgments

VEGA Grieshaber KG thanks the following parties for their efforts:

Revision History

Version Date Summary
1.0.0 05/04/2026 08:00 Initial Release
1.0.1 05/04/2026 11:05 Updated Title