Skip to main content

PDBM CVE-2026-25600

| EUVDEUVD-2026-33619 MEDIUM
Use of Hard-coded Credentials (CWE-798)
2026-06-01 ENISA GHSA-9pjg-jh77-2mjg
6.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.4 MEDIUM
AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
High
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Patch available
Jun 01, 2026 - 12:01 EUVD
Analysis Generated
Jun 01, 2026 - 11:21 vuln.today

DescriptionCVE.org

The PDBM application relies on a static, hard‑coded secret embedded in the PDBM.exe executable. This secret is used by the application’s encryption routines, including the function responsible for decrypting credentials stored in the product’s configuration file. Because the secret is constant across installations, any attacker with sufficient local privileges can extract it from the binary. Once obtained, the secret allows the attacker to decrypt the stored password and authenticate as the user defined in the configuration file. In the affected version, this user account is configured with administrative privileges, granting full access to PDBM’s management interface and its underlying operational functions.

AnalysisAI

Hard-coded cryptographic secret in PDBM.exe (by Trac d.o.o.) enables authenticated local attackers to decrypt administrative credentials stored in the product's configuration file. The static secret, constant across all PDBM installations, is embedded directly in the application binary and is used as the key for the credential encryption routine. Because the affected version configures the stored account with full administrative privileges, a successful extraction yields unrestricted access to PDBM's management interface and all underlying operational functions. No public exploit identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.

Technical ContextAI

PDBM (developed by Trac d.o.o.) is affected across all versions per CPE cpe:2.3:a:trac_d.o.o.:pdbm:*:*:*:*:*:*:*:*, indicating no version boundary has been established by NVD. The root cause is CWE-798 (Use of Hard-coded Credentials): the application embeds a static symmetric secret directly in the PDBM.exe binary rather than deriving it per-installation or storing it in a protected, user-supplied keystore. This secret is passed to the application's encryption routines, which protect credentials persisted in the product's configuration file. Because the secret is identical across every installation, reverse engineering the binary once yields a universal decryption key applicable to any PDBM deployment. The CVSS local attack vector (AV:L) reflects that the binary must be accessible on the target host; the high-privilege prerequisite (PR:H) reflects that reading the executable or configuration file typically requires elevated OS permissions. The CVSS attack complexity of High (AC:H) acknowledges the reverse-engineering effort required to isolate and apply the embedded secret.

RemediationAI

No vendor-released patched version has been identified at time of analysis; the SI-CERT advisory at https://www.cert.si/en/cve-2026-25600/ should be monitored for patch release announcements from Trac d.o.o. Until a patch is available, the most effective compensating control is to restrict OS-level read access to the PDBM.exe binary and its configuration file to the minimum required service account, preventing unauthorized users from accessing either artifact even with standard local access. Additionally, rotate all credentials stored in the PDBM configuration file immediately and reissue them after any patch is applied, since all existing stored passwords should be considered compromised on any system accessible to multiple high-privilege users. Where feasible, isolate PDBM hosts so that lateral movement from other compromised systems does not yield the local high-privilege access the exploit requires. Note that credential rotation alone does NOT remediate the vulnerability - the re-encrypted credentials will still use the same hard-coded secret and remain extractable. If PDBM exposes its management interface over a network, restrict access to that interface via firewall rules to trusted management hosts, limiting the blast radius if admin credentials are extracted.

Share

CVE-2026-25600 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy