Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
2 vulnerabilities by Metronik d.o.o.
CVE-2026-25601 (GCVE-0-2026-25601)
Vulnerability from nvd – Published: 2026-04-01 11:28 – Updated: 2026-04-01 12:35
VLAI
Title
Credential Exposure vulnerability in MEPIS RM
Summary
A vulnerability was identified in MEPIS RM, an industrial
software product developed by Metronik. The application contained a hardcoded
cryptographic key within the Mx.Web.ComponentModel.dll component. When the
option to store domain passwords was enabled, this key was used to encrypt user
passwords before storing them in the application’s database. An attacker with
sufficient privileges to access the database could extract the encrypted
passwords, decrypt them using the embedded key, and gain unauthorized access to
the associated ICS/OT environment.
Severity
6.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-798 - Use of Hard-coded Credentials
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.cert.si/en/cve-2026-25601/ | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Metronik d.o.o. | MEPIS RM |
Affected:
0 , < 8.2.0107
(semver)
Affected: 0 , < 8.2.0007 build 15 (semver) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-25601",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-01T12:34:39.978813Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T12:35:48.644Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "MEPIS RM",
"vendor": "Metronik d.o.o.",
"versions": [
{
"lessThan": "8.2.0107",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "8.2.0007 build 15",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eA vulnerability was identified in MEPIS RM, an industrial\nsoftware product developed by Metronik. The application contained a hardcoded\ncryptographic key within the Mx.Web.ComponentModel.dll component. When the\noption to store domain passwords was enabled, this key was used to encrypt user\npasswords before storing them in the application\u2019s database. An attacker with\nsufficient privileges to access the database could extract the encrypted\npasswords, decrypt them using the embedded key, and gain unauthorized access to\nthe associated ICS/OT environment.\u003c/p\u003e"
}
],
"value": "A vulnerability was identified in MEPIS RM, an industrial\nsoftware product developed by Metronik. The application contained a hardcoded\ncryptographic key within the Mx.Web.ComponentModel.dll component. When the\noption to store domain passwords was enabled, this key was used to encrypt user\npasswords before storing them in the application\u2019s database. An attacker with\nsufficient privileges to access the database could extract the encrypted\npasswords, decrypt them using the embedded key, and gain unauthorized access to\nthe associated ICS/OT environment."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-798",
"description": "CWE-798: Use of Hard-coded Credentials",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T11:28:57.110Z",
"orgId": "a6d3dc9e-0591-4a13-bce7-0f5b31ff6158",
"shortName": "ENISA"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://www.cert.si/en/cve-2026-25601/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Credential Exposure vulnerability in MEPIS RM",
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "a6d3dc9e-0591-4a13-bce7-0f5b31ff6158",
"assignerShortName": "ENISA",
"cveId": "CVE-2026-25601",
"datePublished": "2026-04-01T11:28:57.110Z",
"dateReserved": "2026-02-03T07:24:49.548Z",
"dateUpdated": "2026-04-01T12:35:48.644Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-25601 (GCVE-0-2026-25601)
Vulnerability from cvelistv5 – Published: 2026-04-01 11:28 – Updated: 2026-04-01 12:35
VLAI
Title
Credential Exposure vulnerability in MEPIS RM
Summary
A vulnerability was identified in MEPIS RM, an industrial
software product developed by Metronik. The application contained a hardcoded
cryptographic key within the Mx.Web.ComponentModel.dll component. When the
option to store domain passwords was enabled, this key was used to encrypt user
passwords before storing them in the application’s database. An attacker with
sufficient privileges to access the database could extract the encrypted
passwords, decrypt them using the embedded key, and gain unauthorized access to
the associated ICS/OT environment.
Severity
6.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-798 - Use of Hard-coded Credentials
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.cert.si/en/cve-2026-25601/ | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Metronik d.o.o. | MEPIS RM |
Affected:
0 , < 8.2.0107
(semver)
Affected: 0 , < 8.2.0007 build 15 (semver) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-25601",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-01T12:34:39.978813Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T12:35:48.644Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "MEPIS RM",
"vendor": "Metronik d.o.o.",
"versions": [
{
"lessThan": "8.2.0107",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "8.2.0007 build 15",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eA vulnerability was identified in MEPIS RM, an industrial\nsoftware product developed by Metronik. The application contained a hardcoded\ncryptographic key within the Mx.Web.ComponentModel.dll component. When the\noption to store domain passwords was enabled, this key was used to encrypt user\npasswords before storing them in the application\u2019s database. An attacker with\nsufficient privileges to access the database could extract the encrypted\npasswords, decrypt them using the embedded key, and gain unauthorized access to\nthe associated ICS/OT environment.\u003c/p\u003e"
}
],
"value": "A vulnerability was identified in MEPIS RM, an industrial\nsoftware product developed by Metronik. The application contained a hardcoded\ncryptographic key within the Mx.Web.ComponentModel.dll component. When the\noption to store domain passwords was enabled, this key was used to encrypt user\npasswords before storing them in the application\u2019s database. An attacker with\nsufficient privileges to access the database could extract the encrypted\npasswords, decrypt them using the embedded key, and gain unauthorized access to\nthe associated ICS/OT environment."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-798",
"description": "CWE-798: Use of Hard-coded Credentials",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T11:28:57.110Z",
"orgId": "a6d3dc9e-0591-4a13-bce7-0f5b31ff6158",
"shortName": "ENISA"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://www.cert.si/en/cve-2026-25601/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Credential Exposure vulnerability in MEPIS RM",
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "a6d3dc9e-0591-4a13-bce7-0f5b31ff6158",
"assignerShortName": "ENISA",
"cveId": "CVE-2026-25601",
"datePublished": "2026-04-01T11:28:57.110Z",
"dateReserved": "2026-02-03T07:24:49.548Z",
"dateUpdated": "2026-04-01T12:35:48.644Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}