CVE-2026-25600

Vulnerability

The PDBM application, specifically version 1.0.0.0, contains a static, hard-coded cryptographic secret embedded directly within the PDBM.exe binary [1]. This secret is utilized by the application's internal encryption and decryption routines to protect credentials stored in the product's configuration file [1]. Because the secret is identical across all installations, it does not provide unique protection for individual deployments [1].

Exploitation

An attacker requires local access to the host system with high privileges to extract the hard-coded secret from the PDBM.exe binary [1]. Once the secret is retrieved, the attacker can use it to decrypt the administrative password stored within the application's configuration file [1]. No user interaction is required for this process, though it relies on the attacker's ability to read the binary and the configuration file on the local filesystem [1].

Impact

Successful exploitation allows an attacker to authenticate as an administrative user within the PDBM application [1]. This grants the attacker full access to the management interface and the ability to perform unauthorized actions within the PDBM environment and the connected ICS/OT infrastructure [1]. The compromise results in a loss of confidentiality, integrity, and availability regarding the application's administrative functions [1].

Mitigation

This vulnerability is addressed in PDBM version 2.0.0.0, which replaces the hard-coded secret mechanism [1]. Users are advised to upgrade to this version or higher to remediate the exposure [1]. No workarounds are provided for legacy versions.