CVE-2026-50210
AES-CBC Replay Attacks in Device Firmware
Publication date: 2026-06-04
Last updated on: 2026-06-04
Assigner: 8fc372e3-d9c5-46e4-9410-38469745c639
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability occurs because the device encrypts data using AES-CBC mode with static zero-filled Initialization Vectors (IVs).
Using static zero-filled IVs weakens the encryption, making it vulnerable to replay attacks and known-plaintext decryption.
How can this vulnerability impact me? :
The vulnerability can allow attackers to perform replay attacks, where previously captured encrypted data can be resent to the device to cause unintended effects.
Additionally, attackers may decrypt data if they have knowledge of some plaintext, compromising confidentiality.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability involves the use of AES-CBC encryption with static zero-filled Initialization Vectors (IVs), which makes the device susceptible to replay attacks and known-plaintext decryption.
Such weaknesses in encryption can undermine the confidentiality and integrity of sensitive data, potentially leading to non-compliance with data protection standards and regulations like GDPR and HIPAA that require strong cryptographic protections.