Medium severity6.4NVD Advisory· Published Apr 1, 2026· Updated Apr 7, 2026

CVE-2026-25601

Description

A vulnerability was identified in MEPIS RM, an industrial software product developed by Metronik. The application contained a hardcoded cryptographic key within the Mx.Web.ComponentModel.dll component. When the option to store domain passwords was enabled, this key was used to encrypt user passwords before storing them in the application’s database. An attacker with sufficient privileges to access the database could extract the encrypted passwords, decrypt them using the embedded key, and gain unauthorized access to the associated ICS/OT environment.

Affected products

Metronik/Mepis Rm2 versions
cpe:2.3:a:metronik:mepis_rm:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:metronik:mepis_rm:*:*:*:*:*:*:*:*range: <8.2.017
- cpe:2.3:a:metronik:mepis_rm:8.2.0007:-:*:*:*:*:*:*

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

www.cert.si/en/cve-2026-25601/nvdBroken Link

News mentions

No linked articles in our index yet.

cvss	0.416
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000