CVE-2026-42251: CWE-798 Use of Hard-coded Credentials in KAMSOFT KS-SOMED
Use of hard-coded credentials in KS-SOMED allowed an unauthorized attacker access to FTP server that hosted the application's update packages. The attacker with these credentials could upload a malicious update file, which then may have been distributed and installed on client machines as a legitimate update. This issue affects KS-SOMED with modules: KSPLUPDFTP.exe up to 30.00.00.056 and ANEKSKLIENT.EXE up to 29.00.02.026 Beside removing the hard-coded credentials from the code and changing the update process, access granted by previously exposed credentials was limited to read-only.
AI Analysis
Technical Summary
This vulnerability (CVE-2026-42251) in KAMSOFT KS-SOMED arises from the use of hard-coded credentials (CWE-798) within the application modules KSPLUPDFTP.exe and ANEKSKLIENT.EXE. These credentials provide unauthorized access to the FTP server that hosts update packages. Exploitation could allow an attacker to upload malicious update files, which might then be distributed and installed on client systems as legitimate updates. The affected versions are KSPLUPDFTP.exe up to 30.00.00.056 and ANEKSKLIENT.EXE up to 29.00.02.026. The vulnerability has a CVSS 4.0 base score of 8.7, indicating high severity. No official patch or remediation level has been published yet.
Potential Impact
The vulnerability enables unauthorized access to the FTP server via hard-coded credentials, potentially allowing an attacker to upload malicious update files. This could lead to the distribution of compromised updates to client machines, posing a significant risk to system integrity. However, the access granted by these credentials was limited to read-only, which may reduce the risk of direct modification but does not eliminate the threat of malicious uploads if the FTP server permits it.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should consider restricting FTP server access, monitoring update package integrity, and applying any vendor recommendations once available. Avoid relying on the affected versions and plan for updates once patches are provided.
CVE-2026-42251: CWE-798 Use of Hard-coded Credentials in KAMSOFT KS-SOMED
Description
Use of hard-coded credentials in KS-SOMED allowed an unauthorized attacker access to FTP server that hosted the application's update packages. The attacker with these credentials could upload a malicious update file, which then may have been distributed and installed on client machines as a legitimate update. This issue affects KS-SOMED with modules: KSPLUPDFTP.exe up to 30.00.00.056 and ANEKSKLIENT.EXE up to 29.00.02.026 Beside removing the hard-coded credentials from the code and changing the update process, access granted by previously exposed credentials was limited to read-only.
CVSS v4.0
Score 8.7high
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability (CVE-2026-42251) in KAMSOFT KS-SOMED arises from the use of hard-coded credentials (CWE-798) within the application modules KSPLUPDFTP.exe and ANEKSKLIENT.EXE. These credentials provide unauthorized access to the FTP server that hosts update packages. Exploitation could allow an attacker to upload malicious update files, which might then be distributed and installed on client systems as legitimate updates. The affected versions are KSPLUPDFTP.exe up to 30.00.00.056 and ANEKSKLIENT.EXE up to 29.00.02.026. The vulnerability has a CVSS 4.0 base score of 8.7, indicating high severity. No official patch or remediation level has been published yet.
Potential Impact
The vulnerability enables unauthorized access to the FTP server via hard-coded credentials, potentially allowing an attacker to upload malicious update files. This could lead to the distribution of compromised updates to client machines, posing a significant risk to system integrity. However, the access granted by these credentials was limited to read-only, which may reduce the risk of direct modification but does not eliminate the threat of malicious uploads if the FTP server permits it.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should consider restricting FTP server access, monitoring update package integrity, and applying any vendor recommendations once available. Avoid relying on the affected versions and plan for updates once patches are provided.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- CERT-PL
- Date Reserved
- 2026-04-25T11:31:56.229Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a1d9f52e29bf47b5008b354
Added to database: 6/1/2026, 3:03:46 PM
Last enriched: 6/1/2026, 3:34:25 PM
Last updated: 6/2/2026, 4:57:42 AM
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.