CVE-2026-24790 (GCVE-0-2026-24790)

Vulnerability from cvelistv5 – Published: 2026-02-20 16:15 – Updated: 2026-02-20 18:59
VLAI?
Title
Welker OdorEyes EcoSystem Pulse Bypass System with XL4 Controller Missing Authentication for Critical Function
Summary
The underlying PLC of the device can be remotely influenced, without proper safeguards or authentication.
Severity ?
8.2 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L
CWE
Assigner
References
Impacted products
Vendor Product Version
Welker OdorEyes EcoSystem Pulse Bypass System with XL4 Controller Affected: All versions
Create a notification for this product.
Credits
A project sponsored by DHS S&T reported this vulnerability to CISA.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-24790",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-20T18:57:49.840358Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-20T18:59:34.973Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "OdorEyes EcoSystem Pulse Bypass System with XL4 Controller",
          "vendor": "Welker",
          "versions": [
            {
              "status": "affected",
              "version": "All versions"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "A project sponsored by DHS S\u0026T reported this vulnerability to CISA."
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "The underlying PLC of the device can be remotely influenced, without proper safeguards or authentication."
            }
          ],
          "value": "The underlying PLC of the device can be remotely influenced, without proper safeguards or authentication."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 8.2,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-306",
              "description": "CWE-306",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-20T16:15:21.374Z",
        "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "shortName": "icscert"
      },
      "references": [
        {
          "url": "https://www.welker.com/contact-us/welker-team"
        },
        {
          "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-050-04"
        },
        {
          "url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-050-04.json"
        }
      ],
      "source": {
        "advisory": "ICSA-26-050-04",
        "discovery": "EXTERNAL"
      },
      "title": "Welker OdorEyes EcoSystem Pulse Bypass System with XL4 Controller Missing Authentication for Critical Function",
      "workarounds": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Welker did not respond to CISA\u0027s attempts at coordination. Users of \nWelker OdorEyes devices are encouraged to contact Welker and keep their \nsystems up to date.\n\n\u003cbr\u003e"
            }
          ],
          "value": "Welker did not respond to CISA\u0027s attempts at coordination. Users of \nWelker OdorEyes devices are encouraged to contact Welker and keep their \nsystems up to date."
        }
      ],
      "x_generator": {
        "engine": "Vulnogram 0.5.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
    "assignerShortName": "icscert",
    "cveId": "CVE-2026-24790",
    "datePublished": "2026-02-20T16:15:21.374Z",
    "dateReserved": "2026-02-05T19:05:16.840Z",
    "dateUpdated": "2026-02-20T18:59:34.973Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-24790\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-02-20T18:57:49.840358Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-02-20T18:59:25.728Z\"}}], \"cna\": {\"title\": \"Welker OdorEyes EcoSystem Pulse Bypass System with XL4 Controller Missing Authentication for Critical Function\", \"source\": {\"advisory\": \"ICSA-26-050-04\", \"discovery\": \"EXTERNAL\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"A project sponsored by DHS S\u0026T reported this vulnerability to CISA.\"}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 8.2, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Welker\", \"product\": \"OdorEyes EcoSystem Pulse Bypass System with XL4 Controller\", \"versions\": [{\"status\": \"affected\", \"version\": \"All versions\"}], \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://www.welker.com/contact-us/welker-team\"}, {\"url\": \"https://www.cisa.gov/news-events/ics-advisories/icsa-26-050-04\"}, {\"url\": \"https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-050-04.json\"}], \"workarounds\": [{\"lang\": \"en\", \"value\": \"Welker did not respond to CISA\u0027s attempts at coordination. Users of \\nWelker OdorEyes devices are encouraged to contact Welker and keep their \\nsystems up to date.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"Welker did not respond to CISA\u0027s attempts at coordination. Users of \\nWelker OdorEyes devices are encouraged to contact Welker and keep their \\nsystems up to date.\\n\\n\u003cbr\u003e\", \"base64\": false}]}], \"x_generator\": {\"engine\": \"Vulnogram 0.5.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"The underlying PLC of the device can be remotely influenced, without proper safeguards or authentication.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"The underlying PLC of the device can be remotely influenced, without proper safeguards or authentication.\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-306\", \"description\": \"CWE-306\"}]}], \"providerMetadata\": {\"orgId\": \"7d14cffa-0d7d-4270-9dc0-52cabd5a23a6\", \"shortName\": \"icscert\", \"dateUpdated\": \"2026-02-20T16:15:21.374Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-24790\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-02-20T18:59:34.973Z\", \"dateReserved\": \"2026-02-05T19:05:16.840Z\", \"assignerOrgId\": \"7d14cffa-0d7d-4270-9dc0-52cabd5a23a6\", \"datePublished\": \"2026-02-20T16:15:21.374Z\", \"assignerShortName\": \"icscert\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.