Description
The PDBM application relies on a static, hard‑coded secret embedded
in the PDBM.exe executable. This secret is used by the application’s
encryption routines, including the function responsible for decrypting
credentials stored in the product’s configuration file. Because the
secret is constant across installations, any attacker with sufficient
local privileges can extract it from the binary. Once obtained, the secret allows the attacker to decrypt the stored
password and authenticate as the user defined in the configuration file.
In the affected version, this user account is configured with
administrative privileges, granting full access to PDBM’s management
interface and its underlying operational functions.
Published: 2026-06-01
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The PDBM application contains a static, hard‑coded secret used for decrypting the credentials stored in its configuration file. An attacker who achieves local privileges can extract this secret from the executable, then use it to decrypt the stored password and authenticate as the configured user. Because in the affected version that user has administrative privileges, the attacker gains full control of the PDBM management interface and underlying operational functions.

Affected Systems

Vendor Trac d.o.o. product PDBM. No specific version information is provided; attacks affect installations that use the current version containing the hard‑coded secret.

Risk and Exploitability

The CVSS score of 6.4 indicates a moderate severity. No EPSS score is available and the vulnerability is not listed in CISA’s KEV, suggesting it has not yet been widely exploited. Exploitation requires local privilege to read the binary and configuration file; the attacker then can decrypt credentials and obtain administrative access. Because the vulnerability is only exploitable from the local system, the risk is confined to users who can gain local execution on the host.

Generated by OpenCVE AI on June 1, 2026 at 12:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the newest PDBM release or vendor‑issued patch that removes the hard‑coded secret.
  • Restrict file system permissions to limit read access to the PDBM.exe executable and its configuration file to privileged users only.
  • Re‑configure the default account used by PDBM to operate with minimal privileges or use a dedicated service account with constrained rights.

Generated by OpenCVE AI on June 1, 2026 at 12:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://www.cert.si/en/cve-2026-25600/ cve-icon cve-icon
History

Mon, 01 Jun 2026 11:00:00 +0000

Type Values Removed Values Added
Description The PDBM application relies on a static, hard‑coded secret embedded in the PDBM.exe executable. This secret is used by the application’s encryption routines, including the function responsible for decrypting credentials stored in the product’s configuration file. Because the secret is constant across installations, any attacker with sufficient local privileges can extract it from the binary. Once obtained, the secret allows the attacker to decrypt the stored password and authenticate as the user defined in the configuration file. In the affected version, this user account is configured with administrative privileges, granting full access to PDBM’s management interface and its underlying operational functions.
Title Credential Exposure Vulnerability in Trac PDBM
Weaknesses CWE-798
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: ENISA

Published:

Updated: 2026-06-01T13:01:53.235Z

Reserved: 2026-02-03T07:24:49.547Z

Link: CVE-2026-25600

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-01T11:16:24.793

Modified: 2026-06-01T11:16:24.793

Link: CVE-2026-25600

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-01T12:30:28Z

Weaknesses