Description
Infor SyteLine ERP uses hard-coded static cryptographic keys to encrypt stored credentials, including user passwords, database connection strings, and API keys. The encryption keys are identical across all installations. An attacker with access to the application binary and database can decrypt all stored credentials.
Published: 2026-02-06
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Credential compromise through decryption of stored credentials
Action: Patch
AI Analysis

Impact

Infor SyteLine ERP stores user passwords, database connection strings, and API keys encrypted with a hard‑coded static cryptographic key that is identical across all installations. Because the same key is used everywhere, an attacker who can read the application binary and the database can decrypt all this sensitive data and gain unauthorized access to system accounts and external services. This flaw is a classic example of improper use of cryptographic keys (CWE‑321 and CWE‑798) and poses a serious confidentiality risk.

Affected Systems

The vulnerable product is Infor SyteLine ERP, version 10.0.8803.16889. Any deployment that uses this default key configuration for credential encryption is affected.

Risk and Exploitability

The CVSS score of 7.1 indicates a medium‑to‑high impact, and the EPSS score of less than 1% suggests that exploitation is not yet common but feasible for an attacker with the right access. The vulnerability is not listed in the CISA KEV catalog, but if the application binary or database becomes exposed, an attacker can realistically recover all passwords and credential secrets. The likely attack vector is an insider or compromised administrator who can read the binary and database files.

Generated by OpenCVE AI on April 17, 2026 at 22:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Acquire and apply any Infor‑issued patch that replaces the hard‑coded key with an installation‑specific key or a secure key‑management scheme
  • Restrict filesystem and database access so that only the minimal privileged application account can read the binary and the database
  • Force a full password reset for all user accounts and regenerate database connection strings and API keys
  • Audit all stored sensitive data for similar hard‑coded key usage and migrate any affected data to a dedicated secure credential vault

Generated by OpenCVE AI on April 17, 2026 at 22:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 17 Feb 2026 16:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-798
CPEs cpe:2.3:a:infor:syteline_erp:10.0.8803.16889:*:*:*:*:*:*:*

Mon, 09 Feb 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Infor
Infor syteline Erp
Vendors & Products Infor
Infor syteline Erp

Fri, 06 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 06 Feb 2026 16:45:00 +0000

Type Values Removed Values Added
Description Infor SyteLine ERP uses hard-coded static cryptographic keys to encrypt stored credentials, including user passwords, database connection strings, and API keys. The encryption keys are identical across all installations. An attacker with access to the application binary and database can decrypt all stored credentials.
Title Use of Hard-Coded Cryptographic Key for Password Storage
Weaknesses CWE-321
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

Infor Syteline Erp
cve-icon MITRE

Status: PUBLISHED

Assigner: BLSOPS

Published:

Updated: 2026-02-06T16:39:17.314Z

Reserved: 2026-02-06T13:40:47.744Z

Link: CVE-2026-2103

cve-icon Vulnrichment

Updated: 2026-02-06T16:39:10.277Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-06T17:16:28.240

Modified: 2026-02-17T15:46:31.470

Link: CVE-2026-2103

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T22:45:29Z

Weaknesses