CVE-2026-25608 PUBLISHED

Lack of traffic encryption in STER

Assigner: CERT-PL
Reserved: 03.02.2026 Published: 22.05.2026 Updated: 22.05.2026

STER uses unencrypted TCP traffic to transmit data over the network. It allows an attacker to conduct a Man-In-The-Middle attack and obtain sensitive data such as passwords, personal data, or authentication tokens.

This issue was fixed in version 9.5.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
CVSS Score: 2.3

Product Status

Vendor Centralny Instytut Ochrony Pracy - Państwowy Instytut Badawczy
Product STER
Versions Default: unaffected
  • affected from 0 to 9.5 (excl.)

Credits

  • Michelin CERT finder

References

Problem Types

  • CWE-319 Cleartext Transmission of Sensitive Information CWE

Impacts

  • CAPEC-117 Interception