CVE-2026-3323 Vega CVE debrief

Who should care

Administrators and security teams responsible for Vega VEGAPULS 6X devices running firmware 1.0.0 or 1.1.0, especially where configuration access could be reachable from untrusted networks.

Technical summary

The NVD record classifies this issue as CVSS 3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, indicating a network-reachable problem that requires no privileges or user interaction and primarily impacts confidentiality. The referenced advisory maps the issue to CWE-306 and the affected CPEs in the corpus are Vega VEGAPULS 6X firmware 1.0.0 and 1.1.0.

Defensive priority

High. The issue is remotely reachable, requires no authentication, and can expose credential material, so exposed devices should be reviewed promptly.

Recommended defensive actions

• Inventory Vega VEGAPULS 6X deployments and confirm whether firmware 1.0.0 or 1.1.0 is in use.
• Restrict access to any configuration interface using segmentation, ACLs, VPNs, or other network controls if exposure exists.
• Follow the linked CERT VDE / Vega advisory and apply vendor-provided remediation or firmware updates if available.
• Rotate credentials and access codes that may have been exposed through the interface.
• Monitor for unauthorized access attempts against management or configuration services.

Evidence notes

The supplied corpus includes the NVD modified record dated 2026-05-11 and the original CVE publication date of 2026-04-28. NVD marks the vulnerability status as Analyzed, cites the severity vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, and references two third-party advisory links from CERT VDE: the advisory landing page and the machine-readable CSAF white record. The vulnerable CPE criteria in the corpus are limited to Vega VEGAPULS 6X firmware versions 1.0.0 and 1.1.0.

Official resources