Skip to main content

Mepis Rm CVE-2026-25601

| EUVDEUVD-2026-17869 MEDIUM
Use of Hard-coded Credentials (CWE-798)
2026-04-01 ENISA
6.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.4 MEDIUM
AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
High
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
EUVD ID Assigned
Apr 01, 2026 - 11:45 euvd
EUVD-2026-17869
Analysis Generated
Apr 01, 2026 - 11:45 vuln.today
CVE Published
Apr 01, 2026 - 11:28 nvd
MEDIUM 6.4

DescriptionCVE.org

A vulnerability was identified in MEPIS RM, an industrial software product developed by Metronik. The application contained a hardcoded cryptographic key within the Mx.Web.ComponentModel.dll component. When the option to store domain passwords was enabled, this key was used to encrypt user passwords before storing them in the application’s database. An attacker with sufficient privileges to access the database could extract the encrypted passwords, decrypt them using the embedded key, and gain unauthorized access to the associated ICS/OT environment.

AnalysisAI

Hardcoded cryptographic key in Metronik MEPIS RM's Mx.Web.ComponentModel.dll component allows privileged database users to decrypt stored domain passwords and gain unauthorized access to ICS/OT environments. The vulnerability affects all versions of MEPIS RM where password storage is enabled; exploitation requires high-level privileges to access the application database, and no public exploit code has been identified at time of analysis.

Technical ContextAI

MEPIS RM, an industrial software product for critical infrastructure, implements password storage functionality that encrypts domain credentials using a hardcoded symmetric cryptographic key embedded directly within the Mx.Web.ComponentModel.dll assembly. When administrators enable the domain password storage option, user passwords are encrypted before being persisted in the application's database. The root cause is classified as CWE-798 (Use of Hardcoded Credentials), a well-established weakness in cryptographic implementations where secret key material is embedded in application code or binaries rather than derived from secure key management systems. This approach fundamentally fails cryptographic security principles: any attacker with read access to the compiled assembly or database can extract both the encrypted passwords and the decryption key, reducing the encryption to security through obscurity. The vulnerability is particularly severe in industrial control system (ICS/OT) environments where MEPIS RM operates, as compromised domain credentials can cascade into broader infrastructure compromise.

RemediationAI

Metronik should release a patched version of MEPIS RM that replaces hardcoded cryptographic key usage with a secure key derivation function (KDF) such as PBKDF2, bcrypt, or Argon2, or implement external key management via secure key vaults. Organizations currently running MEPIS RM should: (1) contact Metronik for patch availability and timeline; (2) as an interim measure, disable the domain password storage feature within MEPIS RM if operationally feasible; (3) restrict database-level access to the MEPIS RM database to only essential service accounts and audit all database access logs for unauthorized extraction attempts; (4) if passwords have been stored using the current mechanism, reset all affected domain credentials and monitor for unauthorized authentication attempts in downstream systems. Additional guidance is available at https://www.cert.si/en/cve-2026-25601/.

Share

CVE-2026-25601 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy