CVE-2026-25601
Hardcoded Key in MEPIS RM Enables Password Decryption
Publication date: 2026-04-01
Last updated on: 2026-04-07
Assigner: ENISA
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| metronik | mepis_rm | to 8.2.017 (exc) |
| metronik | mepis_rm | to 8.2.0007 (exc) |
| metronik | mepis_rm | 8.2.0007 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-798 | The product contains hard-coded credentials, such as a password or cryptographic key. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the MEPIS RM industrial software developed by Metronik. It involves a hardcoded cryptographic key embedded within the Mx.Web.ComponentModel.dll component. When the option to store domain passwords is enabled, this key is used to encrypt user passwords before they are stored in the application's database.
An attacker who has sufficient privileges and access to the database can extract these encrypted passwords and decrypt them offline using the embedded key. This allows unauthorized access to the associated ICS/OT environment.
How can this vulnerability impact me? :
If exploited, this vulnerability can allow attackers to decrypt stored user credentials, leading to unauthorized access to industrial control systems or operational technology environments.
- Compromise of authentication mechanisms.
- Potential manipulation of industrial processes.
- Operational disruptions within critical infrastructure.
- Lateral movement within critical infrastructure networks.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by identifying the presence of the vulnerable MEPIS RM versions (8.0.0007, 8.1.0007, and 8.2.0007 up to build 14) and checking for the Mx.Web.ComponentModel.dll component containing the hardcoded cryptographic key.
Detection involves verifying if the application is configured to store domain passwords, as this triggers the use of the hardcoded key for encryption.
Since exploitation requires local or database-level access, commands or scripts could be used to inspect the application files and database for encrypted passwords and the presence of the vulnerable DLL.
- Check the version of MEPIS RM installed on your system.
- Locate and inspect the Mx.Web.ComponentModel.dll file for known hashes or signatures of the vulnerable versions.
- Query the application database for stored encrypted domain passwords.
- Use file integrity tools or hash comparison commands (e.g., sha256sum on Linux or Get-FileHash in PowerShell) to verify if the DLL matches the vulnerable version.
- Monitor for any unauthorized access attempts or unusual database queries that might indicate exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading the MEPIS RM software to a fixed version, specifically version 8.2.0007 build 15 or later, with the fully integrated fix delivered in version 8.2.0107.
The fix removes the hardcoded cryptographic key and introduces secure password-handling mechanisms, preventing attackers from decrypting stored passwords.
Until the upgrade can be performed, restrict access to the application database and the system hosting MEPIS RM to only trusted and authorized personnel to reduce the risk of exploitation.
Disable the option to store domain passwords in the application if possible, to avoid using the vulnerable encryption mechanism.
Monitor system and database logs for suspicious activity that could indicate attempts to exploit this vulnerability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability involves a hardcoded cryptographic key used to encrypt domain passwords, which can be decrypted by an attacker with sufficient privileges and database access. This exposure of credentials can lead to unauthorized access to sensitive industrial control systems and operational technology environments.
Such unauthorized access and credential exposure could result in violations of data protection and security requirements mandated by common standards and regulations like GDPR and HIPAA, which require strong protection of sensitive data and user credentials.
Specifically, the compromise of confidentiality, integrity, and availability of authentication data may lead to non-compliance with these regulations' mandates on safeguarding personal and sensitive information, potentially resulting in legal and operational consequences.