CVE-2026-25601

Credential Exposure vulnerability in MEPIS RM

Assigner: ENISA
Reserved: 03.02.2026 Published: 01.04.2026 Updated: 01.04.2026

A vulnerability was identified in MEPIS RM, an industrial software product developed by Metronik. The application contained a hardcoded cryptographic key within the Mx.Web.ComponentModel.dll component. When the option to store domain passwords was enabled, this key was used to encrypt user passwords before storing them in the application’s database. An attacker with sufficient privileges to access the database could extract the encrypted passwords, decrypt them using the embedded key, and gain unauthorized access to the associated ICS/OT environment.

Metrics

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
CVSS Score: 6.4

Attack Vector	Local	Scope	Unchanged
Attack Complexity	High	Confidentiality Impact	High
Privileges Required	High	Integrity Impact	High
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	Metronik d.o.o.
Product	MEPIS RM
Versions	Default: unaffected affected from 0 to 8.2.0107 (excl.) affected from 0 to 8.2.0007 build 15 (excl.)

Vendor

Metronik d.o.o.

Product

MEPIS RM

Versions

Default: unaffected

affected from 0 to 8.2.0107 (excl.)
affected from 0 to 8.2.0007 build 15 (excl.)

References

Problem Types

CWE-798: Use of Hard-coded Credentials CWE

CVE-2026-25601 PUBLISHED

Credential Exposure vulnerability in MEPIS RM

Metrics

Product Status

References

Problem Types