Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
A flaw has been found in PicoTronica e-Clinic Healthcare System ECHS 5.7. The impacted element is an unknown function of the file /cdemos/echs/priv/echs.js. This manipulation of the argument ADMIN_KEY causes hard-coded credentials. The attack is possible to be carried out remotely. The exploit has been published and may be used. Upgrading to version 5.7.1 is sufficient to resolve this issue. The affected component should be upgraded. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.
AnalysisAI
Hard-coded administrative credentials in PicoTronica e-Clinic Healthcare System ECHS 5.7 enable remote attackers to bypass authentication and gain privileged access to the healthcare management platform. The vulnerability resides in the /cdemos/echs/priv/echs.js file where the ADMIN_KEY parameter contains static credentials, allowing network-level exploitation without authentication (AV:N/PR:N). Public exploit documentation exists, though CISA KEV does not list active exploitation. EPSS data unavailable, but the combination of healthcare sector targeting, authentication bypass capability, and public POC elevates real-world risk despite moderate CVSS 7.3 scoring.
Technical ContextAI
This vulnerability exemplifies CWE-798 (Use of Hard-coded Credentials), a critical security anti-pattern where authentication secrets are embedded directly in client-side JavaScript code. The affected file /cdemos/echs/priv/echs.js contains a hard-coded ADMIN_KEY parameter accessible to anyone who can retrieve the JavaScript file over HTTP/HTTPS. In web applications, client-side code is inherently public-any user can view source, inspect network traffic, or decompile minified scripts. Storing administrative credentials in this context means the secret is effectively published to all users and attackers alike. The CPE identifier confirms this affects PicoTronica's e-Clinic Healthcare System ECHS, a medical practice management platform that likely handles protected health information (PHI) under regulations like HIPAA or GDPR, amplifying the regulatory and privacy implications of unauthorized access.
RemediationAI
Upgrade to PicoTronica e-Clinic Healthcare System ECHS version 5.7.1 immediately, which removes hard-coded credentials per vendor confirmation at https://vuldb.com/vuln/361358. For environments where immediate patching is not feasible, implement these compensating controls with noted limitations: restrict network access to /cdemos/echs/priv/ directory and all administrative endpoints using web application firewall rules or reverse proxy ACLs (reduces attack surface but does not eliminate credential exposure to internal users); enforce IP address allowlisting for administrative access from known management networks only (effective against external attackers but requires static IP infrastructure and breaks remote administration); deploy intrusion detection signatures to alert on access attempts to echs.js file combined with subsequent authentication attempts using the compromised key (detective control only, does not prevent compromise). Note that these mitigations do not remediate the root cause-credentials remain hard-coded and discoverable by anyone with application access. Post-upgrade, force password reset for all administrative accounts and audit authentication logs from the past 90 days for anomalous access patterns that may indicate prior exploitation.
Missing authentication in PicoTronica e-Clinic Healthcare System ECHS 5.7 allows remote unauthenticated attackers to acc
Information disclosure in PicoTronica e-Clinic Healthcare System ECHS 5.7 allows remote unauthenticated attackers to ext
Same weakness CWE-798 – Use of Hard-coded Credentials
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-28203