CVE-2026-25601 Metronik — Exploit & Vulnerability Details MEDIUM

Parameter	Value
CVSS	6.7 (MEDIUM)
Affected Versions	before 8.2.017
Fixed In	8.2.017
Type	CWE-798 (Hardcoded Credentials)
Vendor	Metronik
Public PoC	No

A vulnerability was identified in MEPIS RM, an industrial software product developed by Metronik. The application contained a hardcoded cryptographic key within the Mx.Web.ComponentModel.dll component. When the option to store domain passwords was enabled, this key was used to encrypt user passwords before storing them in the application’s database.

An attacker with sufficient privileges to access the database could extract the encrypted passwords, decrypt them using the embedded key, and gain unauthorized access to the associated ICS/OT environment.

Attack Parameters

Attack Vector

Local

Requires local access

Attack Complexity

Low

Easy to exploit

Privileges Required

High

Admin privileges needed

User Interaction

None

No user interaction needed

Impact Assessment

Confidentiality

High

Complete data leak

Integrity

High

Complete data modification

Availability

High

Complete denial of service

CVSS Vector v3.1

Weakness Type (CWE)

CWE-798 Hardcoded Credentials

Vulnerable Products 3

Configuration	From (including)	Up to (excluding)
Metronik Mepis_Rm cpe:2.3:a:metronik:mepis_rm::::::::	—	`8.2.017`
Metronik Mepis_Rm cpe:2.3:a:metronik:mepis_rm::::::::	—	`8.2.0007`
Metronik Mepis_Rm cpe:2.3:a:metronik:mepis_rm:8.2.0007:-::::::	—	—

References 1

https://www.cert.si/en/cve-2026-25601/

a6d3dc9e-0591-4a13-bce7-0f5b31ff6158

Menu

CVE-2026-25601

Attack Parameters

Impact Assessment

CVSS Vector v3.1

Weakness Type (CWE)

Vulnerable Products 3

References 1

CVE Details

Editor's Choice

Menu

CVE-2026-25601

Attack Parameters

Impact Assessment

CVSS Vector v3.1

Weakness Type (CWE)

Vulnerable Products 3

References 1

CVE Details

Editor's Choice

Stay informed on cybersecurity