Description
STER uses unencrypted TCP traffic to transmit data over the network. It allows an attacker to conduct a Man-In-The-Middle attack and obtain sensitive data such as passwords, personal data, or authentication tokens.

This issue was fixed in version 9.5.
Published: 2026-05-22
Score: 2.3 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The STER application transmits data over unencrypted TCP, creating a vulnerability defined as cleartext transmission of sensitive information (CWE-319). An attacker can intercept the traffic to capture passwords, personal data, or authentication tokens, thereby compromising confidentiality of the data exchanged with STER.

Affected Systems

Centralny Instytut Ochrony Pracy – Państwowy Instytut Badawczy’s STER product is affected. Versions prior to 9.5 lack encryption; the issue was resolved in the 9.5 release.

Risk and Exploitability

The CVSS score of 2.3 indicates a low severity for this flaw, and the EPSS score is not available. It is not listed in the CISA KEV catalog. The vulnerability can be exploited via a network‑level Man‑In‑The‑Middle attack when unencrypted traffic is observed, making it a straightforward exploit for anyone with network access to STER endpoints.

Generated by OpenCVE AI on May 22, 2026 at 11:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade STER to version 9.5 or later to apply the vendor‑provided encryption fix.
  • If an upgrade cannot be performed immediately, enforce TLS/SSL on all STER network communications to eliminate cleartext transmission.
  • Limit access to STER services by implementing strict network segmentation and firewall rules, and monitor for anomalous traffic patterns that could indicate MITM activity.

Generated by OpenCVE AI on May 22, 2026 at 11:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 22 May 2026 13:15:00 +0000

Type Values Removed Values Added
First Time appeared Centralny Instytut Ochrony Pracy - Państwowy Instytut Badawczy
Centralny Instytut Ochrony Pracy - Państwowy Instytut Badawczy ster
Vendors & Products Centralny Instytut Ochrony Pracy - Państwowy Instytut Badawczy
Centralny Instytut Ochrony Pracy - Państwowy Instytut Badawczy ster

Fri, 22 May 2026 11:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 22 May 2026 10:00:00 +0000

Type Values Removed Values Added
Description STER uses unencrypted TCP traffic to transmit data over the network. It allows an attacker to conduct a Man-In-The-Middle attack and obtain sensitive data such as passwords, personal data, or authentication tokens. This issue was fixed in version 9.5.
Title Lack of traffic encryption in STER
Weaknesses CWE-319
References
Metrics cvssV4_0

{'score': 2.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Centralny Instytut Ochrony Pracy - Państwowy Instytut Badawczy Ster
cve-icon MITRE

Status: PUBLISHED

Assigner: CERT-PL

Published:

Updated: 2026-05-22T10:59:55.665Z

Reserved: 2026-02-03T13:12:14.139Z

Link: CVE-2026-25608

cve-icon Vulnrichment

Updated: 2026-05-22T10:59:50.317Z

cve-icon NVD

Status : Received

Published: 2026-05-22T10:16:17.593

Modified: 2026-05-22T10:16:17.593

Link: CVE-2026-25608

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-22T12:37:42Z

Weaknesses