Severity by source
CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Use of a weak password encoding algorithm in STER software allows the value of the password to be guessed after analyzing how passwords with known values are encoded.
This issue was fixed in version 9.5.
AnalysisAI
Weak password encoding in STER (all versions before 9.5) exposes stored credentials to local reverse-engineering by any low-privileged user on the system. The root cause (CWE-261) is use of a reversible or insufficiently one-way encoding scheme rather than a cryptographically strong hashing algorithm, enabling an attacker who can observe encoded password data to deduce plaintext values by analyzing patterns across known-value samples. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog; however, the high confidentiality impact (VC:H in CVSS 4.0) confirms that successful exploitation fully exposes affected credentials. The issue was reported by CERT-PL and fixed by CIOP-PIB in version 9.5.
Technical ContextAI
STER is software developed by Centralny Instytut Ochrony Pracy - Państwowy Instytut Badawczy (CIOP-PIB), a Polish research institute, as identified via CPE cpe:2.3:a:centralny_instytut_ochrony_pracy_-_państwowy_instytut_badawczy:ster:*:*:*:*:*:*:*:*. The vulnerability is classified under CWE-261 (Weak Encoding for Password), which describes the failure to use a sufficiently strong one-way algorithm - such as bcrypt, Argon2, or PBKDF2 with salting - for protecting stored passwords. Instead, STER employs an algorithm whose output is deterministic and pattern-analyzable, meaning a local user can compare encodings of passwords they control (known-plaintext) against encodings of target passwords, and deduce the plaintext through pattern analysis or partial reversal. This is distinct from a simple plaintext storage flaw: the passwords are encoded, but the encoding is cryptographically weak and reversible given sufficient samples.
RemediationAI
Upgrade STER to version 9.5 or later, which contains the vendor-released fix for this vulnerability per the official advisory. The CERT-PL disclosure is available at https://cert.pl/posts/2026/05/CVE-2026-25606 and should be consulted for additional guidance. If immediate upgrade is not feasible, administrators should as a compensating control restrict read access to any database tables, files, or configuration stores containing encoded password values to only the minimum necessary service accounts, thereby raising the bar for the local access required for exploitation. Additionally, enforcing unique, complex passwords for all STER accounts reduces the value of any credential recovered through analysis. Note that these compensating controls do not eliminate the underlying encoding weakness and should not substitute for patching.
SQL injection in STER (Centralny Instytut Ochrony Pracy - Państwowy Instytut Badawczy) versions prior to 9.5 allows auth
Cleartext TCP transmission in STER (by Poland's Central Institute for Labour Protection, CIOP) exposes sensitive data in
Same weakness CWE-261 – Weak Encoding for Password
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31423
GHSA-86fv-7c2x-fgx6