Description
Hydrosystem Control System saves sensitive information into a log file. Critically, user credentials are logged allowing the attacker to obtain further authorized access into the system. Combined with vulnerability CVE-2026-34184, these sensitive information could be accessed by an unauthorized user.This issue was fixed in Hydrosystem Control System version 9.8.5
Published: 2026-04-09
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Sensitive Data Exposure
Action: Apply Patch
AI Analysis

Impact

The Hydrosystem Control System records user credentials and other sensitive data in its log files, enabling an attacker who can read those logs to obtain privileged access. This information‑exposure flaw, identified as CWE‑532, undermines confidentiality and may facilitate further compromise when combined with other vulnerabilities such as CVE‑2026‑34184.

Affected Systems

Hydrosystem Control System versions preceding 9.8.5 are vulnerable; the fix was released in version 9.8.5. Any installation of the control system before that update is affected, regardless of other configuration settings.

Risk and Exploitability

With a CVSS v3.1 score of 6.9 the flaw has medium severity and the EPSS score is not available; it is not in the CISA KEV catalog. Exploitation requires access to the log files, which are typically readable by authenticated users, so the threat vector is likely post‑exploitation or lateral movement after an initial compromise such as CVE‑2026‑34184. The risk is primarily loss of confidentiality and potential privilege escalation, while integrity and availability are less directly impacted.

Generated by OpenCVE AI on April 9, 2026 at 11:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Hydrosystem Control System to version 9.8.5 or later to eliminate the logging of sensitive data.
  • Audit existing log files to identify exposed credentials and reset any compromised accounts.
  • Restrict access to log files by applying strict file permissions so that only authorized personnel can read them.
  • Consider encrypting logs or removing sensitive data from log entries to prevent plaintext exposure.
  • Monitor for signs of credential theft and enforce strong access controls on the control system.

Generated by OpenCVE AI on April 9, 2026 at 11:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 20 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Hydrosystem.poznan
Hydrosystem.poznan control System
CPEs cpe:2.3:a:hydrosystem.poznan:control_system:*:*:*:*:*:*:*:*
Vendors & Products Hydrosystem.poznan
Hydrosystem.poznan control System
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Fri, 10 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Hydrosystem
Hydrosystem control System
Vendors & Products Hydrosystem
Hydrosystem control System

Thu, 09 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 09 Apr 2026 10:00:00 +0000

Type Values Removed Values Added
Description Hydrosystem Control System saves sensitive information into a log file. Critically, user credentials are logged allowing the attacker to obtain further authorized access into the system. Combined with vulnerability CVE-2026-34184, these sensitive information could be accessed by an unauthorized user.This issue was fixed in Hydrosystem Control System version 9.8.5
Title Insertion of Sesitive Information into Log File in Hydrosystem Control System
Weaknesses CWE-532
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Hydrosystem Control System
Hydrosystem.poznan Control System
cve-icon MITRE

Status: PUBLISHED

Assigner: CERT-PL

Published:

Updated: 2026-04-09T11:51:48.409Z

Reserved: 2026-03-26T14:59:49.077Z

Link: CVE-2026-4901

cve-icon Vulnrichment

Updated: 2026-04-09T11:51:45.466Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-09T10:16:22.543

Modified: 2026-04-20T17:05:29.580

Link: CVE-2026-4901

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:32:59Z

Weaknesses
  • CWE-532

    Insertion of Sensitive Information into Log File