Skip to main content

ERP App CVE-2026-14807

| EUVDEUVD-2026-41816 CRITICAL
Use of Hard-coded Credentials (CWE-798)
2026-07-06 twcert GHSA-8xw6-3xrm-fqhg
9.3
CVSS 4.0 · Vendor: twcert
Share

Severity by source

Vendor (twcert) PRIMARY
9.3 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
9.8 CRITICAL

Unauthenticated (hard-coded credential = PR:N) network login with low complexity; code and database-credential disclosure enable full read/write to the vulnerable system, so C/I/A all High, scope unchanged.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (twcert).

CVSS VectorVendor: twcert

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jul 06, 2026 - 07:51 vuln.today

DescriptionCVE.org

ERP App developed by PROG MIS has a Use of Hard-coded Credentials vulnerability, allowing unauthenticated remote attackers to log in to view application code and obtain the database account and password.

AnalysisAI

Credential exposure and authentication bypass in PROG MIS's ERP App lets unauthenticated remote attackers log in using hard-coded credentials, then read application source code and extract the backing database account and password. Because the leaked database credentials grant direct access to the data tier, a single successful login can escalate into full compromise of the application's stored data. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach ERP App login over network
Delivery
Authenticate with hard-coded credentials
Exploit
View application source code
Execution
Extract database account and password
Persist
Connect directly to backend database
Impact
Exfiltrate or modify business data

Vulnerability AssessmentAI

Exploitation Exploitation requires only network reachability to the ERP App's login interface plus knowledge of the product's hard-coded credential (a constant secret shared across all installations, consistent with CWE-798 and the PR:N vector). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment All available signals point to genuinely high real-world risk rather than an inflated CVSS. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has discovered the shipped hard-coded credential (from prior analysis of the product or the TWCERT disclosure) sends normal login requests to an internet-reachable ERP App instance and authenticates without any legitimate account. They then use the application-code viewing functionality to read source that embeds the database connection string, extract the database username and password, and connect directly to the backend database to exfiltrate or alter business data. …
Remediation Apply the vendor's fixed release as directed in the TWCERT advisories (https://www.twcert.org.tw/en/cp-139-11024-c5c1a-2.html and https://www.twcert.org.tw/tw/cp-132-11023-3abe8-1.html); no exact fixed version number is provided in the available data, so contact PROG MIS to obtain the patched build and confirm the version. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Audit network inventory to identify all PROG MIS ERP instances and map internet exposure; disable remote access or place behind VPN if feasible. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-14807 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy