CVE-2026-25601 is a security vulnerability classified under CWE-798 (Use of Hard-coded Credentials) found in Metronik d.o.o.'s industrial software product MEPIS RM. The vulnerability arises from the presence of a hardcoded cryptographic key embedded within the Mx.Web.ComponentModel.dll component. This key is utilized to encrypt domain passwords when the option to store these passwords is enabled, with the encrypted credentials stored in the application’s database. Because the cryptographic key is hardcoded and static, an attacker who gains sufficient privileges to access the database can retrieve the encrypted passwords and decrypt them using the embedded key. This decryption capability allows the attacker to obtain plaintext credentials, which can then be used to gain unauthorized access to the associated Industrial Control Systems (ICS) or Operational Technology (OT) environments managed by MEPIS RM. The vulnerability impacts confidentiality, integrity, and availability of the system, as unauthorized access could lead to manipulation or disruption of critical industrial processes. The CVSS v3.1 base score is 6.4 (medium severity), reflecting that exploitation requires high privileges and local access but results in significant impact. No public exploits have been reported so far. The affected versions are not explicitly specified beyond version 0, indicating that the issue may be present in initial or early releases. The vulnerability was published on April 1, 2026, and assigned by ENISA. Given the nature of ICS/OT environments, this vulnerability poses a serious risk if exploited, potentially leading to operational disruptions or safety hazards.

The primary impact of CVE-2026-25601 is the compromise of confidentiality and integrity of domain credentials within industrial environments using MEPIS RM. If exploited, attackers can decrypt stored passwords and gain unauthorized access to critical ICS/OT systems, potentially allowing them to manipulate industrial processes, disrupt operations, or cause safety incidents. This could lead to significant operational downtime, financial losses, and damage to physical infrastructure. The availability of systems could also be affected if attackers disrupt or disable control systems. Since exploitation requires high privileges and local access to the database, the threat is more relevant to insider threats or attackers who have already penetrated the network perimeter. However, once inside, the attacker’s ability to escalate privileges and move laterally within the ICS environment is greatly enhanced. Organizations relying on MEPIS RM for industrial automation or monitoring are at risk of targeted attacks aiming to disrupt critical infrastructure. The lack of known public exploits reduces immediate risk but does not eliminate the threat, especially given the value of ICS environments to nation-states and cybercriminals.

To mitigate CVE-2026-25601, organizations should first verify if they are using affected versions of MEPIS RM and whether the option to store domain passwords is enabled. Immediate steps include disabling the password storage feature if feasible, to prevent use of the hardcoded key for encryption. If password storage is necessary, organizations should request or develop patches or updates from Metronik that remove the hardcoded key and implement secure key management practices, such as using unique, per-installation keys stored securely outside the application binaries. Restrict database access strictly to authorized personnel and systems using network segmentation and strong access controls to reduce the risk of privilege escalation and lateral movement. Implement monitoring and alerting for unusual database access patterns or attempts to extract encrypted credentials. Conduct regular audits of ICS/OT environments to detect unauthorized access. Employ defense-in-depth strategies including endpoint protection, multi-factor authentication for administrative access, and network anomaly detection tailored to ICS protocols. Finally, coordinate with Metronik for official patches or mitigations and apply them promptly once available.