Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
Use of hard-coded credentials in KS-SOMED allowed an unauthorized attacker access to FTP server that hosted the application's update packages. The attacker with these credentials could upload a malicious update file, which then may have been distributed and installed on client machines as a legitimate update.
This issue affects KS-SOMED with modules: KSPLUPDFTP.exe up to 30.00.00.056 and ANEKSKLIENT.EXE up to 29.00.02.026
Beside removing the hard-coded credentials from the code and changing the update process, access granted by previously exposed credentials was limited to read-only.
AnalysisAI
Credential exposure in Kamsoft KS-SOMED medical software allowed remote unauthenticated attackers to authenticate to the FTP server hosting application update packages by extracting hard-coded credentials from the KSPLUPDFTP.exe and ANEKSKLIENT.EXE modules. While the vendor states the exposed credentials ultimately had only read-only access, the original threat model included an attacker uploading a malicious update file that would propagate to client machines as a legitimate update. No public exploit identified at time of analysis.
Technical ContextAI
KS-SOMED is a Polish healthcare information system distributed by Kamsoft (see https://kamsoft.pl/ks-somed/), in which client installations pull update packages from a centrally hosted FTP server. The vulnerability is rooted in CWE-798 (Use of Hard-coded Credentials): the FTP credentials needed to authenticate to the update server were embedded directly in the compiled binaries KSPLUPDFTP.exe (the FTP updater component) and ANEKSKLIENT.EXE (the annex client). Anyone with a copy of these executables could perform static analysis or string extraction to recover the credentials and reuse them against the live FTP service, bypassing the implicit trust that the update channel relies on.
RemediationAI
Operators should upgrade KS-SOMED so that KSPLUPDFTP.exe is above 30.00.00.056 and ANEKSKLIENT.EXE is above 29.00.02.026; the vendor description indicates the hard-coded credentials were removed and the update delivery process was changed, so apply the vendor-released patch via Kamsoft (https://kamsoft.pl/ks-somed/) and refer to the CERT.PL advisory at https://cert.pl/posts/2026/06/CVE-2026-1958 for full details. No exact patched version string is enumerated in the supplied data beyond 'above the listed versions', so confirm the fixed build number directly with Kamsoft before deployment. As compensating controls until patching, restrict outbound access from client installations to the legitimate update FTP host only via egress firewall rules, rotate any credentials that were ever shared with the exposed FTP account, and where feasible block or proxy the FTP update endpoint at the network boundary and stage updates manually - note the trade-off that blocking the update channel will stop legitimate updates from flowing and may leave clients on older versions if not actively managed.
Same weakness CWE-798 – Use of Hard-coded Credentials
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33642
GHSA-vqmx-wc76-rxc7