Skip to main content

STER EUVDEUVD-2026-31424

| CVE-2026-25608 LOW
Cleartext Transmission of Sensitive Information (CWE-319)
2026-05-22 CERT-PL GHSA-3mwj-g532-hjvp
2.3
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.3 LOW
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

2
Analysis Generated
May 22, 2026 - 10:15 vuln.today
Patch available
May 22, 2026 - 10:01 EUVD

DescriptionCVE.org

STER uses unencrypted TCP traffic to transmit data over the network. It allows an attacker to conduct a Man-In-The-Middle attack and obtain sensitive data such as passwords, personal data, or authentication tokens.

This issue was fixed in version 9.5.

AnalysisAI

Cleartext TCP transmission in STER (by Poland's Central Institute for Labour Protection, CIOP) exposes sensitive data including passwords, personal data, and authentication tokens to interception. All versions prior to 9.5 are affected per EUVD-2026-31424. Exploitation requires the attacker to be pre-positioned on the network path (CVSS AT:P), limiting opportunistic mass exploitation, but poses meaningful risk in shared or corporate network environments where insider or adjacent-network threats exist. No public exploit code identified at time of analysis and no confirmed active exploitation (CISA KEV).

Technical ContextAI

CWE-319 (Cleartext Transmission of Sensitive Information) describes the root cause: the application transmits data over TCP without TLS or equivalent transport-layer encryption. The affected product is STER, an occupational health and safety management application developed by Centralny Instytut Ochrony Pracy - Państwowy Instytut Badawczy (CIOP-PIB), identified in CPE as cpe:2.3:a:centralny_instytut_ochrony_pracy_-_państwowy_instytut_badawczy:ster:*:*:*:*:*:*:*:*. Because the TCP stream is unencrypted, any party capable of capturing network traffic between the STER client and server - whether via ARP spoofing, rogue Wi-Fi, compromised router, or physical network tap - can read credentials and session tokens in plaintext. The CVSS 4.0 vector AT:P (Attack Requirements: Present) formalizes that a specific network condition - MitM positioning - must first be achieved before exploitation is possible.

RemediationAI

Vendor-released patch: STER version 9.5, which resolves the cleartext transmission issue. Organizations should upgrade to version 9.5 immediately; upgrade guidance should be obtained from the vendor at https://www.ciop.pl/CIOPPortalWAR/appmanager/ciop/pl?_nfpb=true&_pageLabel=P52000165211572544981480 and the CERT-PL advisory at https://cert.pl/posts/2026/05/CVE-2026-25606. If immediate upgrade is not possible, network-level compensating controls should be applied: restrict STER client-server communication to dedicated VLANs with enforced port-level isolation to block ARP spoofing vectors; require clients to connect only over VPN tunnels (e.g., WireGuard or IPsec), which would encrypt the underlying TCP stream regardless of application-layer behavior; and enable dynamic ARP inspection (DAI) on managed switches serving STER clients to reduce MitM viability. Note that VPN enforcement may introduce latency and requires endpoint management overhead. These controls reduce but do not eliminate risk if an attacker already has insider access to the network segment.

Share

EUVD-2026-31424 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy