Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Unauthenticated (hard-coded credential = PR:N) network login with low complexity; code and database-credential disclosure enable full read/write to the vulnerable system, so C/I/A all High, scope unchanged.
Primary rating from Vendor (twcert).
CVSS VectorVendor: twcert
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
ERP App developed by PROG MIS has a Use of Hard-coded Credentials vulnerability, allowing unauthenticated remote attackers to log in to view application code and obtain the database account and password.
AnalysisAI
Credential exposure and authentication bypass in PROG MIS's ERP App lets unauthenticated remote attackers log in using hard-coded credentials, then read application source code and extract the backing database account and password. Because the leaked database credentials grant direct access to the data tier, a single successful login can escalate into full compromise of the application's stored data. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires only network reachability to the ERP App's login interface plus knowledge of the product's hard-coded credential (a constant secret shared across all installations, consistent with CWE-798 and the PR:N vector). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | All available signals point to genuinely high real-world risk rather than an inflated CVSS. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has discovered the shipped hard-coded credential (from prior analysis of the product or the TWCERT disclosure) sends normal login requests to an internet-reachable ERP App instance and authenticates without any legitimate account. They then use the application-code viewing functionality to read source that embeds the database connection string, extract the database username and password, and connect directly to the backend database to exfiltrate or alter business data. … |
| Remediation | Apply the vendor's fixed release as directed in the TWCERT advisories (https://www.twcert.org.tw/en/cp-139-11024-c5c1a-2.html and https://www.twcert.org.tw/tw/cp-132-11023-3abe8-1.html); no exact fixed version number is provided in the available data, so contact PROG MIS to obtain the patched build and confirm the version. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Audit network inventory to identify all PROG MIS ERP instances and map internet exposure; disable remote access or place behind VPN if feasible. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-798 – Use of Hard-coded Credentials
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41816
GHSA-8xw6-3xrm-fqhg