Which versions of Comarch ERP Optima are affected by EUVD-2025-209840?

Comarch ERP Optima exposes hardcoded database credentials in memory that can be extracted by local attackers, enabling direct database access with elevated privileges and bypassing application…. A patch is available.

How to fix or mitigate EUVD-2025-209840?

Within 24 hours: Identify all Comarch ERP Optima client installations across the organization and document deployment locations, particularly shared workstations. Within 7 days: Apply vendor patch to version 2026.4 on all client installations, prioritizing systems with sensitive data access or shared use patterns; test patch in non-production environment first. Within 30 days: Complete patch deployment to all systems, validate patch installation via version verification, and implement endpoint monitoring to detect anomalous local process access to ERP client memory.

Comarch ERP Optima EUVD-2025-209840

Q: What is the CVSS score of EUVD-2025-209840?

EUVD-2025-209840 has a CVSS 4.0 base score of 7.5 (High). CVSS vector: CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

| CVE-2025-68420 HIGH

Incorrect Privilege Assignment (CWE-266)

2026-05-14 CERT-PL

GHSA-8cw5-3v42-mc6r

Information Disclosure

7.5

CVSS 4.0

CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Analysis Generated

May 14, 2026 - 13:16 vuln.today

Patch available

May 14, 2026 - 12:01 EUVD

CVSS changed

May 14, 2026 - 11:22 NVD

7.5 (HIGH)

CVE Published

May 14, 2026 - 10:35 nvd

UNKNOWN (no severity yet)

CVE Published

May 14, 2026 - 10:35 nvd

HIGH 7.5

DescriptionNVD

Comarch ERP Optima client connects to a database using a high privileged account regardless of an application account to which a user logs in. It is possible for a local attacker who controls the client process to dump it's memory, extract credentials and use them to gain a privileged access to the database. In order to exploit this vulnerability, the client application has to be already configured, but a user does not have to be logged in. This issue has been fixed in version 2026.4

AnalysisAI

Memory dump attacks against Comarch ERP Optima client expose hardcoded high-privilege database credentials, allowing local attackers with process control to bypass application-level access controls and gain direct database access with elevated privileges. Exploitation requires a configured client installation but no user login, creating persistent risk on shared workstations. CERT-PL publicly disclosed this credential management flaw (CWE-266) with patch available in version 2026.4, though no active exploitation or public POC has been confirmed.

Technical ContextAI

Comarch ERP Optima is an enterprise resource planning system deployed in client-server architecture where desktop clients connect to centralized databases. The vulnerability stems from improper privilege management (CWE-266) where the client application stores database connection credentials in process memory using a fixed high-privilege service account rather than mapping to individual user permissions. This violates the principle of least privilege by granting all client processes database-level access exceeding their application-level authorization. The Windows client process maintains these credentials in plaintext or weakly protected form in memory space accessible to local administrators or malware with sufficient process injection capabilities. The CVSS vector indicates local attack requiring present attack conditions (AT:P), suggesting the attacker needs specific system state like an active client process or resident credentials cache.

RemediationAI

Upgrade Comarch ERP Optima client software to version 2026.4 or later, which addresses the credential storage architecture flaw according to vendor advisory at https://www.comarch.pl/erp/comarch-optima/. Organizations should prioritize client upgrades on systems accessible to multiple users, terminal servers, or environments with elevated malware risk. As compensating controls until patching completes, implement application whitelisting to prevent unauthorized memory dumping tools (procdump, mimikatz) on workstations running ERP Optima clients, though this introduces operational overhead for legitimate diagnostic activities. Enable Windows Credential Guard on Windows 10+ Enterprise to provide hypervisor-based memory isolation, reducing but not eliminating memory dump risks. Restrict local administrator rights on ERP Optima workstations to limit process memory access capabilities, recognizing this may conflict with legacy application requirements. Monitor database connection logs for unexpected source IPs or off-hours access patterns indicating credential reuse. Note that these controls reduce attack surface but cannot fully mitigate the architectural flaw without applying the vendor patch.

EUVD-2025-209840 vulnerability details – vuln.today

Back

Comarch ERP Optima EUVD-2025-209840

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

Share

Comarch ERP Optima EUVD-2025-209840

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code