Skip to main content

Comarch ERP Optima CVE-2025-68421

| EUVDEUVD-2025-209839 HIGH
Use of Hard-coded Credentials (CWE-798)
2026-05-14 CERT-PL GHSA-8j5g-5398-wgwq
8.7
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.7 HIGH
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

5
Analysis Generated
May 14, 2026 - 13:15 vuln.today
Patch available
May 14, 2026 - 12:01 EUVD
CVSS changed
May 14, 2026 - 11:22 NVD
8.7 (HIGH)
CVE Published
May 14, 2026 - 10:35 nvd
UNKNOWN (no severity yet)
CVE Published
May 14, 2026 - 10:35 nvd
HIGH 8.7

DescriptionCVE.org

Comarch ERP Optima client makes use of a hard-coded password for a database user. These credentials cannot be changed. It is possible for a remote attacker to gain an access to the database with elevated privileges including executing system commands on a server. This issue has been fixed in version 2026.4

AnalysisAI

Hard-coded database credentials in Comarch ERP Optima client allow remote attackers on adjacent networks to access the backend database with elevated privileges and execute system commands on the server. The immutable credentials enable authentication bypass without requiring any user interaction or existing privileges. Fixed in version 2026.4, reported by CERT-PL. No public exploit or KEV listing identified at time of analysis, though the straightforward nature of credential-based attacks (CVSS:4.0 AV:A/AC:L/PR:N) suggests high exploitability for attackers with local network access.

Technical ContextAI

CWE-798 (Use of Hard-coded Credentials) represents a critical design flaw where authentication secrets are embedded directly in application code or configuration files. In Comarch ERP Optima client (CPE: cpe:2.3:a:comarch:erp_optima), a database user account credential is permanently hard-coded and cannot be modified through configuration or administrative controls. This violates fundamental security principles of credential rotation and secrets management. The client application uses these embedded credentials to authenticate to the ERP backend database, which according to the vulnerability report grants elevated privileges sufficient for executing system-level commands. This suggests the hard-coded account has excessive permissions (possibly DBA or equivalent). The CVSS 4.0 vector indicates adjacent network attack vector (AV:A), meaning the attacker must be on the same network segment as the database server or client system, but requires no authentication (PR:N) and has low attack complexity (AC:L).

RemediationAI

Upgrade Comarch ERP Optima client to version 2026.4 or later immediately, as confirmed by vendor patch release and CERT-PL advisory. The fix presumably removes hard-coded credentials and implements proper credential management. For environments unable to upgrade immediately, implement network segmentation to restrict database server access to only authorized ERP client IP addresses using firewall rules or VLANs-this mitigates the adjacent network attack vector but does NOT eliminate risk from compromised legitimate clients. Enable database audit logging to detect unauthorized access attempts using the hard-coded credentials. Consider monitoring for database connections from unexpected client IP addresses or unusual command execution patterns. Note that network controls are compensating measures only; the fundamental vulnerability remains until upgrade is applied since credentials cannot be changed. Advisory and patch details: https://www.comarch.pl/erp/comarch-optima/ and https://cert.pl/posts/2026/05/CVE-2025-68420/.

Share

CVE-2025-68421 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy