SecuriTricks - CVE-2026-25601

Description

A vulnerability was identified in MEPIS RM, an industrial software product developed by Metronik. The application contained a hardcoded cryptographic key within the Mx.Web.ComponentModel.dll component. When the option to store domain passwords was enabled, this key was used to encrypt user passwords before storing them in the application’s database. An attacker with sufficient privileges to access the database could extract the encrypted passwords, decrypt them using the embedded key, and gain unauthorized access to the associated ICS/OT environment.

Product(s) Impacted

Vendor	Product	Versions
Metronik	Mepis Rm	*

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-798

Use of Hard-coded Credentials

The product contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data.

*CPE(s)

Affected systems and software identified for this CVE.

Type	Vendor	Product	Version	Update	Edition	Language	Software Edition	Target Software	Target Hardware	Other Information
a	metronik	mepis_rm	/	/	/	/	/	/	/	/

References

https://www.cert.si/en/cve-2026-25601/

CVSS Score

6.4 / 10

CVSS Data - 3.1

Attack Vector: LOCAL
Attack Complexity: HIGH
Privileges Required: HIGH
Scope: UNCHANGED
Confidentiality Impact: HIGH
Integrity Impact: HIGH
Availability Impact: HIGH

CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

View Vector String

Timeline

Published: April 1, 2026, 12:16 p.m.
Last Modified: April 1, 2026, 2:23 p.m.

Status : Undergoing Analysis

CVE has been marked for Analysis. Normally once in this state the CVE will be analyzed by NVD staff within 24 hours.

More info

Source

a6d3dc9e-0591-4a13-bce7-0f5b31ff6158

CVE-2026-25601