Credential Exposure vulnerability in MEPIS RM_CVE-2026-25601

6.4 / 10

MEDIUM

CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

Description

A vulnerability was identified in MEPIS RM, an industrial
software product developed by Metronik. The application contained a hardcoded
cryptographic key within the Mx.Web.ComponentModel.dll component. When the
option to store domain passwords was enabled, this key was used to encrypt user
passwords before storing them in the application’s database. An attacker with
sufficient privileges to access the database could extract the encrypted
passwords, decrypt them using the embedded key, and gain unauthorized access to
the associated ICS/OT environment.

Basic Information

ID CVE-2026-25601

Source ENISA

Published Apr 1, 2026 at 11:28

Modified Apr 1, 2026 at 12:35

Affected Product

Vendor Metronik d.o.o.

Product MEPIS RM

Affected Versions Metronik d.o.o. MEPIS RM 0
Metronik d.o.o. MEPIS RM 0

CWE Classification

CWE-798

References

www.cert.si /en/cve-2026-25601/

{
    "lastseen": "",
    "description": "A vulnerability was identified in MEPIS RM, an industrial\nsoftware product developed by Metronik. The application contained a hardcoded\ncryptographic key within the Mx.Web.ComponentModel.dll component. When the\noption to store domain passwords was enabled, this key was used to encrypt user\npasswords before storing them in the application\u2019s database. An attacker with\nsufficient privileges to access the database could extract the encrypted\npasswords, decrypt them using the embedded key, and gain unauthorized access to\nthe associated ICS/OT environment.",
    "published": "2026-04-01T11:28:57.110Z",
    "modified": "2026-04-01T12:35:48.644Z",
    "type": "cve",
    "title": "Credential Exposure vulnerability in MEPIS RM",
    "source": "ENISA",
    "references": "https://www.cert.si/en/cve-2026-25601/",
    "id": "CVE-2026-25601",
    "bulletinFamily": "",
    "cwe": [
        "CWE-798"
    ],
    "cvelist": null,
    "sourceData": "Metronik d.o.o. MEPIS RM 0\nMetronik d.o.o. MEPIS RM 0",
    "sourceHref": "",
    "cvss": {
        "score": 6.4,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "MEPIS RM",
    "version": "0",
    "vendor": "Metronik d.o.o.",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}