Severity by source
AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
A vulnerability was identified in MEPIS RM, an industrial software product developed by Metronik. The application contained a hardcoded cryptographic key within the Mx.Web.ComponentModel.dll component. When the option to store domain passwords was enabled, this key was used to encrypt user passwords before storing them in the application’s database. An attacker with sufficient privileges to access the database could extract the encrypted passwords, decrypt them using the embedded key, and gain unauthorized access to the associated ICS/OT environment.
AnalysisAI
Hardcoded cryptographic key in Metronik MEPIS RM's Mx.Web.ComponentModel.dll component allows privileged database users to decrypt stored domain passwords and gain unauthorized access to ICS/OT environments. The vulnerability affects all versions of MEPIS RM where password storage is enabled; exploitation requires high-level privileges to access the application database, and no public exploit code has been identified at time of analysis.
Technical ContextAI
MEPIS RM, an industrial software product for critical infrastructure, implements password storage functionality that encrypts domain credentials using a hardcoded symmetric cryptographic key embedded directly within the Mx.Web.ComponentModel.dll assembly. When administrators enable the domain password storage option, user passwords are encrypted before being persisted in the application's database. The root cause is classified as CWE-798 (Use of Hardcoded Credentials), a well-established weakness in cryptographic implementations where secret key material is embedded in application code or binaries rather than derived from secure key management systems. This approach fundamentally fails cryptographic security principles: any attacker with read access to the compiled assembly or database can extract both the encrypted passwords and the decryption key, reducing the encryption to security through obscurity. The vulnerability is particularly severe in industrial control system (ICS/OT) environments where MEPIS RM operates, as compromised domain credentials can cascade into broader infrastructure compromise.
RemediationAI
Metronik should release a patched version of MEPIS RM that replaces hardcoded cryptographic key usage with a secure key derivation function (KDF) such as PBKDF2, bcrypt, or Argon2, or implement external key management via secure key vaults. Organizations currently running MEPIS RM should: (1) contact Metronik for patch availability and timeline; (2) as an interim measure, disable the domain password storage feature within MEPIS RM if operationally feasible; (3) restrict database-level access to the MEPIS RM database to only essential service accounts and audit all database access logs for unauthorized extraction attempts; (4) if passwords have been stored using the current mechanism, reset all affected domain credentials and monitor for unauthorized authentication attempts in downstream systems. Additional guidance is available at https://www.cert.si/en/cve-2026-25601/.
Same weakness CWE-798 – Use of Hard-coded Credentials
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-17869