CVE-2026-25601 identifies a security weakness in Metronik d.o.o.'s MEPIS RM, an industrial software product used in ICS/OT environments. The vulnerability stems from the use of a hardcoded cryptographic key within the Mx.Web.ComponentModel.dll component. When the feature to store domain passwords is enabled, user passwords are encrypted using this fixed key before being saved in the application’s database. Because the key is hardcoded and static, any attacker who gains sufficient privileges to access the database can retrieve the encrypted passwords and decrypt them using the embedded key. This effectively bypasses the intended security of stored credentials, allowing unauthorized access to the industrial control systems managed by MEPIS RM. The vulnerability is classified under CWE-798 (Use of Hard-coded Credentials), which is a common and critical security flaw. The CVSS 3.1 score of 6.4 reflects a medium severity rating, with the attack vector being local (AV:L), requiring high attack complexity (AC:H), and high privileges (PR:H), but no user interaction (UI:N). The impact on confidentiality, integrity, and availability is high (C:H/I:H/A:H), indicating that exploitation could lead to full compromise of the ICS/OT environment. No patches or known exploits are currently reported, but the presence of hardcoded keys in critical industrial software poses a significant risk if leveraged by malicious actors.

The primary impact of this vulnerability is the potential compromise of industrial control systems managed by MEPIS RM. If an attacker with high privileges accesses the database, they can decrypt stored domain passwords, leading to unauthorized access to critical ICS/OT environments. This can result in data breaches, manipulation or disruption of industrial processes, and potential safety hazards. The confidentiality of user credentials is severely compromised, and the integrity and availability of the control systems are at risk due to possible unauthorized commands or system manipulations. Given the critical nature of ICS/OT systems in sectors like manufacturing, energy, and utilities, exploitation could cause operational downtime, financial losses, and safety incidents. Although exploitation requires high privileges and local access, insider threats or attackers who have already penetrated the network could leverage this vulnerability to escalate their access and control.

Organizations using MEPIS RM should immediately audit their deployment to determine if the password storage feature is enabled. If so, they should disable this feature until a secure patch or update is available. Restrict database access strictly to trusted administrators and implement strong access controls and monitoring to detect unauthorized access attempts. Consider isolating the ICS/OT network segment to limit exposure. If possible, replace or supplement the hardcoded key encryption with a secure key management system that uses unique, non-hardcoded keys per deployment. Conduct regular credential audits and enforce multi-factor authentication for all administrative access. Monitor logs for unusual database access patterns and implement network segmentation to reduce the risk of lateral movement. Engage with Metronik d.o.o. for updates or patches addressing this vulnerability and apply them promptly once released.