Description
Use of a weak password encoding algorithm in STER software allows the value of the password to be guessed after analyzing how passwords with known values are encoded.

This issue was fixed in version 9.5.
Published: 2026-05-22
Score: 5.7 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability stems from STER's weak password encoding algorithm. By analyzing known plaintext passwords and their encoded forms, an attacker can deduce the original password value for any user. Successful exploitation leads to credential compromise, allowing the attacker to impersonate a legitimate user and gain unauthorized access to sensitive data or functionalities within the application.

Affected Systems

The software affected is STER from Centralny Instytut Ochrony Pracy – Państwowy Instytut Badawczy. All releases before version 9.5 are vulnerable; the fix was introduced in 9.5.

Risk and Exploitability

The CVSS score of 5.7 denotes moderate severity. No EPSS score is provided, and it is not listed in CISA KEV, indicating that there is no confirmed widespread exploitation, but the flaw still presents a legitimate risk. The lack of explicit attack vector information means the vector is inferred as a software local attack, potentially via local compromise or remote exploitation if password data is exposed through the application. The primary risk is the potential unauthorized access to any accounts whose passwords can be reconstructed from the weak encoding.

Generated by OpenCVE AI on May 22, 2026 at 11:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update STER software to version 9.5 or later, which enforces a stronger password encoding algorithm.
  • After upgrading, enforce password complexity requirements such as minimum length, mixed case, digits, and special characters to reduce reliance on weak passwords.
  • Enable or configure multi‑factor authentication for all user accounts accessing STER so that compromised passwords alone are insufficient for unauthorized access.

Generated by OpenCVE AI on May 22, 2026 at 11:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 22 May 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 22 May 2026 13:15:00 +0000

Type Values Removed Values Added
First Time appeared Centralny Instytut Ochrony Pracy - Państwowy Instytut Badawczy
Centralny Instytut Ochrony Pracy - Państwowy Instytut Badawczy ster
Vendors & Products Centralny Instytut Ochrony Pracy - Państwowy Instytut Badawczy
Centralny Instytut Ochrony Pracy - Państwowy Instytut Badawczy ster

Fri, 22 May 2026 10:00:00 +0000

Type Values Removed Values Added
Description Use of a weak password encoding algorithm in STER software allows the value of the password to be guessed after analyzing how passwords with known values are encoded. This issue was fixed in version 9.5.
Title Weak password encoding in STER
Weaknesses CWE-261
References
Metrics cvssV4_0

{'score': 5.7, 'vector': 'CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Centralny Instytut Ochrony Pracy - Państwowy Instytut Badawczy Ster
cve-icon MITRE

Status: PUBLISHED

Assigner: CERT-PL

Published:

Updated: 2026-05-22T13:44:14.391Z

Reserved: 2026-02-03T13:12:14.139Z

Link: CVE-2026-25607

cve-icon Vulnrichment

Updated: 2026-05-22T13:44:10.201Z

cve-icon NVD

Status : Received

Published: 2026-05-22T10:16:17.470

Modified: 2026-05-22T10:16:17.470

Link: CVE-2026-25607

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-22T12:37:43Z

Weaknesses