CVE-2026-41879
Received Received - Intake

Superadmin Credentials Stored as Non-Salted MD5 Hash in R-SOFT DMS

Vulnerability report for CVE-2026-41879, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-10

Last updated on: 2026-07-10

Assigner: CERT.PL

Description

R-SOFT DMS stores superadmin credentials using a non-salted nested MD5 hash. This allows an attacker who obtain password hash to decode superadmin credentials. Critically, this password cannot be changed except by modifying the configuration file. This issue was fixed in version v3.17-2000.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-10
Last Modified
2026-07-10
Generated
2026-07-10
AI Q&A
2026-07-10
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
r-soft dms v3.17-2000

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-328 The product uses an algorithm that produces a digest (output value) that does not meet security expectations for a hash function that allows an adversary to reasonably determine the original input (preimage attack), find another input that can produce the same hash (2nd preimage attack), or find multiple inputs that evaluate to the same hash (birthday attack).

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The vulnerability in R-SOFT DMS involves the storage of superadmin credentials using a non-salted nested MD5 hash. This weak hashing method allows an attacker who obtains the password hash to decode the superadmin credentials. Additionally, the superadmin password cannot be changed except by modifying the configuration file, which increases the risk.

Mitigation Strategies

The vulnerability can be mitigated by upgrading R-SOFT DMS to version v3.17-2000 or later, where the issue has been fixed.

Since the superadmin password cannot be changed except by modifying the configuration file, immediate mitigation involves applying the update and reviewing configuration file security to prevent unauthorized access.

Impact Analysis

An attacker who exploits this vulnerability can decode the superadmin credentials, potentially gaining unauthorized full administrative access to the R-SOFT DMS system. This could lead to unauthorized data access, system manipulation, and compromise of sensitive information.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-41879. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart