Description
A vulnerability was identified in MEPIS RM, an industrial
software product developed by Metronik. The application contained a hardcoded
cryptographic key within the Mx.Web.ComponentModel.dll component. When the
option to store domain passwords was enabled, this key was used to encrypt user
passwords before storing them in the application’s database. An attacker with
sufficient privileges to access the database could extract the encrypted
passwords, decrypt them using the embedded key, and gain unauthorized access to
the associated ICS/OT environment.
Published: 2026-04-01
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Credential Access
Action: Patch Now
AI Analysis

Impact

A hardcoded cryptographic key in the component used by MEPIS RM encrypts domain passwords when the store‑password option is turned on. If an attacker can read the application database, the embedded key allows decryption of those credentials, exposing the usernames and passwords that give access to the connected industrial control environment. The vulnerability is a classic credential‑exposure flaw classified under CWE‑798.

Affected Systems

Metronik’s MEPIS RM software, particularly version 8.2.0007 and any builds that retain the same hardcoded key, are affected. The flaw applies whenever the feature to store domain passwords is enabled, regardless of the specific operator or deployment environment.

Risk and Exploitability

The weakness carries a CVSS score of 6.4, indicating a moderate severity that is likely exploitable only if an attacker obtains database access or local administrative rights. The probability of exploitation is currently below 1 %. The issue is not listed in the CISA Known Exploited Vulnerabilities catalog, but it provides a clear pathway for privilege escalation: read encrypted credentials, use the embedded key, and unmask passwords, thus enabling unauthorized control of the affected OT systems.

Generated by OpenCVE AI on April 7, 2026 at 22:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor’s patch that removes the hardcoded key or otherwise secures password storage.
  • If a patch is not yet available, disable the domain password storage feature in the application settings to prevent encrypted credentials from being stored.
  • Limit database access to the minimum set of privileged users and enforce least‑privilege policies.
  • Deploy monitoring to detect unusual reads of the password storage tables or attempts to access the component containing the hardcoded key.

Generated by OpenCVE AI on April 7, 2026 at 22:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://www.cert.si/en/cve-2026-25601/ cve-icon cve-icon
History

Tue, 07 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:metronik:mepis_rm:*:*:*:*:*:*:*:*
cpe:2.3:a:metronik:mepis_rm:8.2.0007:-:*:*:*:*:*:*

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Metronik
Metronik mepis Rm
Vendors & Products Metronik
Metronik mepis Rm

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 01 Apr 2026 11:45:00 +0000

Type Values Removed Values Added
Description A vulnerability was identified in MEPIS RM, an industrial software product developed by Metronik. The application contained a hardcoded cryptographic key within the Mx.Web.ComponentModel.dll component. When the option to store domain passwords was enabled, this key was used to encrypt user passwords before storing them in the application’s database. An attacker with sufficient privileges to access the database could extract the encrypted passwords, decrypt them using the embedded key, and gain unauthorized access to the associated ICS/OT environment.
Title Credential Exposure vulnerability in MEPIS RM
Weaknesses CWE-798
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Metronik Mepis Rm
cve-icon MITRE

Status: PUBLISHED

Assigner: ENISA

Published:

Updated: 2026-04-01T12:35:48.644Z

Reserved: 2026-02-03T07:24:49.548Z

Link: CVE-2026-25601

cve-icon Vulnrichment

Updated: 2026-04-01T12:35:42.276Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-01T12:16:02.587

Modified: 2026-04-07T20:47:29.027

Link: CVE-2026-25601

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:59:53Z

Weaknesses