CVE-2026-3873 - Vulnerability Details

Description

Use of Hard-coded Credentials vulnerability in Avantra allows Accessing
Functionality Not Properly Constrained by ACLs. This issue affects
Avantra: before 25.3.0.

Published: 2026-03-13

Score: 7.2 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability originates from hard‑coded credentials embedded within the Avantra platform, allowing an entity to authenticate as a privileged user without proper credentials. This unauthorized access grants the ability to invoke functionality that is not correctly restricted by access control lists. The primary impact is the potential for data disclosure, manipulation, or other actions that compromise the confidentiality, integrity, and availability of the system. The weakness is classified as CWE‑798: Improper Validation or Use of Hard‑encoded Credentials.

Affected Systems

The affected product is Syslink software AG’s Avantra platform. The issue exists in all releases prior to version 25.3.0, as stated by the vendor: "This issue affects Avantra: before 25.3.0." No further version details are provided.

Risk and Exploitability

The likely attack vector is remote network interaction when the application is exposed, as the hard‑coded credentials can be used over the network. Based on the description, it is inferred that local execution of the application would also permit use of the credentials. The CVSS base score of 7.2 indicates a high severity, while the EPSS score of less than 1% suggests a low probability of real‑world exploitation. The vulnerability is not listed in CISA’s KEV catalog, indicating no publicly known exploits. Nonetheless, the possibility of privileged access warrants prompt mitigation.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

syslink software AG

Avantra

unaffected

Version	Status	Constraints
`0`	affected	< 25.3.0

No data.

Vendor Product Confidence Versions

Syslink Software Ag

Avantra

100%

Version	Status	Scheme	Platform
`[0,25.3.0)`	affected	generic	['windows', 'linux']

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Check the vendor’s support site or contact support for any available patches or updates for Avantra versions before 25.3.0 and apply them if available.
Verify that the hard‑coded credentials have been removed from the system configuration and that access control lists are correctly enforced to prevent privilege escalation.
Conduct a system audit to detect any remaining hard‑coded credentials and review application logs for unauthorized access attempts.
Implement network segmentation and restrict external access to the Avantra application to limit the attack surface.

Generated by OpenCVE AI on March 19, 2026 at 16:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00012.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://support.avantra.com/hc/en-us/articles/5352465121695-Security-Notice-Legacy-Built-In-User-Account-rtm

History

Mon, 16 Mar 2026 10:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Syslink Software Ag Syslink Software Ag avantra
Vendors & Products		Syslink Software Ag Syslink Software Ag avantra

Fri, 13 Mar 2026 17:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 13 Mar 2026 09:45:00 +0000

Type	Values Removed	Values Added
Description	Use of Hard-coded Credentials vulnerability in Avnatra Avantra allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Avantra: before 25.3.0.	Use of Hard-coded Credentials vulnerability in Avantra allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Avantra: before 25.3.0.

Fri, 13 Mar 2026 08:30:00 +0000

Type	Values Removed	Values Added
Description		Use of Hard-coded Credentials vulnerability in Avnatra Avantra allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Avantra: before 25.3.0.
Title		Legacy built-in user account
Weaknesses		CWE-798
References		https://support.avantra.com/hc/en-us/articles/5352465121695-Security-Notice-Legacy-Built-In-User-Account-rtm
Metrics		cvssV3_1 `{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N'}`

Subscriptions

Syslink Software Ag Avantra

MITRE

Status: PUBLISHED

Assigner: NCSC.ch

Published: 2026-03-13T08:14:29.350Z

Updated: 2026-03-13T16:05:47.203Z

Reserved: 2026-03-10T10:16:02.391Z

Link: CVE-2026-3873

Vulnrichment

Updated: 2026-03-13T16:05:43.335Z

NVD

Status : Awaiting Analysis

Published: 2026-03-13T19:55:10.810

Modified: 2026-03-16T14:53:46.157

Link: CVE-2026-3873

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-03-23T09:59:42Z

Weaknesses

CWE-798

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object