Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
A vulnerability was determined in Industrial Application Software IAS Canias ERP 8.03. This affects an unknown function of the component JNLP Deployment Endpoint. Executing a manipulation can lead to use of hard-coded cryptographic key . The attack may be performed from remote. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
Hard-coded cryptographic key in Canias ERP 8.03 JNLP Deployment Endpoint allows unauthenticated remote attackers to obtain sensitive information through manipulation of the affected component. The vulnerability affects the Java Network Launch Protocol deployment mechanism, enabling key discovery and potential decryption of encrypted communications. No vendor patch has been released despite early disclosure notification.
Technical ContextAI
Canias ERP 8.03 uses JNLP (Java Network Launch Protocol) for application deployment. JNLP is a protocol that enables Java applications to be launched and updated via network mechanisms. The vulnerability exists in the JNLP Deployment Endpoint component, which likely handles application signing, authentication, or secure communications. The root cause is classified under CWE-320 (Key Management Errors), specifically the use of hard-coded cryptographic keys embedded in the application code or configuration. Hard-coded keys cannot be rotated, are discoverable through reverse engineering or memory analysis, and compromise the entire cryptographic scheme protecting deployment integrity or inter-component communications. The attack vector is network-based (CVSS AV:N) with low complexity (AC:L), requiring no authentication (PR:N) or user interaction (UI:N), meaning the endpoint is directly exploitable.
RemediationAI
No vendor-released patch is available. Given the vendor's non-response to early disclosure, organizations should implement the following compensating controls: (1) Network segmentation - restrict access to the JNLP Deployment Endpoint to trusted networks or administrative subnets only, using firewall rules or network access control lists to block remote, untrusted connections; (2) Monitor JNLP traffic - enable logging and alerting for JNLP protocol activity to detect anomalous deployment requests or cryptographic key access attempts; (3) Code/configuration review - conduct reverse engineering or code audit of the JNLP component to locate hard-coded cryptographic keys and assess their scope (signing keys, encryption keys, etc.); (4) Consider application isolation - run Canias ERP 8.03 in a containerized or virtualized environment with strict network policies to limit blast radius if the deployment endpoint is compromised; (5) Evaluate upgrade feasibility - investigate whether upgrading to a newer Canias ERP version (if available) resolves the hard-coded key issue, balancing migration effort against persistent vulnerability risk. Contact the vendor directly or consider alternative ERP solutions if long-term support for this version is uncertain.
Same weakness CWE-320 – Key Management Errors
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-28992
GHSA-7xxx-43w2-xvh3