CVE-2026-25601

MEDIUM

Credential Exposure vulnerability in MEPIS RM

Title source: cna

Description

A vulnerability was identified in MEPIS RM, an industrial software product developed by Metronik. The application contained a hardcoded cryptographic key within the Mx.Web.ComponentModel.dll component. When the option to store domain passwords was enabled, this key was used to encrypt user passwords before storing them in the application’s database. An attacker with sufficient privileges to access the database could extract the encrypted passwords, decrypt them using the embedded key, and gain unauthorized access to the associated ICS/OT environment.

References (1)

[Third Party Advisory] https://www.cert.si/en/cve-2026-25601/

Scores

CVSS v3 6.4

EPSS 0.0001

EPSS Percentile 0.5%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-798

Status published

Products (4)

metronik/mepis_rm 8.2.0007

metronik/mepis_rm < 8.2.017

Metronik d.o.o./MEPIS RM < 8.2.0007 build 15

Metronik d.o.o./MEPIS RM < 8.2.0107

Published Apr 01, 2026

Tracked Since Apr 01, 2026