Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
AC:H because exploitation depends on first obtaining the hash (a precondition outside attacker control); confidentiality-only (C:H, I:N, A:N) as the flaw discloses superadmin credentials.
Primary rating from Vendor (cert).
CVSS VectorVendor: cert
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
R-SOFT DMS stores superadmin credentials using a non-salted nested MD5 hash. This allows an attacker who obtain password hash to decode superadmin credentials. Critically, this password cannot be changed except by modifying the configuration file.
This issue was fixed in version v3.17-2000.
AnalysisAI
Credential disclosure in R-SOFT DMS lets an attacker who obtains the stored superadmin password hash recover the plaintext password, because credentials are protected with a non-salted, nested MD5 hash that is trivially reversible via brute-force and precomputed rainbow tables. The superadmin account is high-value and cannot be rotated through the UI - the password can only be changed by editing the configuration file - so recovered credentials remain valid indefinitely. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The attacker must first obtain the stored superadmin password hash - from the configuration file, backend database, a backup, or memory - which is exactly the Attack Requirement (AT:P) reflected in the CVSS 4.0 vector; the vulnerability itself does not grant that hash. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The vendor CVSS 4.0 base score is 8.2 with vector AV:N/AC:L/AT:P/PR:N/UI:N/VC:H (confidentiality-only impact). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has gained read access to the R-SOFT DMS configuration file, database, or a backup - for example through a file-disclosure bug, misconfigured share, or insider access - extracts the stored superadmin hash. Recognizing it as an unsalted nested MD5, they crack it offline in seconds-to-minutes using GPU brute-force or a rainbow table, recover the plaintext password, and log in as superadmin. … |
| Remediation | Vendor-released patch: v3.17-2000 - upgrade R-SOFT DMS to v3.17-2000 or later, which addresses the weak-hash storage. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Audit all R-SOFT DMS deployments and document superadmin account usage patterns; implement network segmentation to restrict access to the DMS to authorized personnel only. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-328 – Use of Weak Hash
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42857
GHSA-2mx5-42xw-7586