CVE-2026-25607

Vulnerability

STER software, a computer system for occupational safety and health management developed by the Central Institute for Labour Protection – National Research Institute, uses a weak password encoding algorithm (CWE-261). This vulnerability affects all versions below 9.5 [1]. The encoding algorithm is such that knowing the encoded value of a known plaintext password allows an attacker to deduce the encoding method and subsequently guess unknown passwords.

Exploitation

An attacker must have access to the encoded password values, for example through a database leak or other information disclosure, and also possess or be able to create pairs of known passwords and their encoded outputs. By analyzing these pairs, the attacker can reverse or model the weak encoding algorithm to predict the encoded form of unknown passwords. No special network position or authentication beyond obtaining the encoded values is required.

Impact

Successful exploitation leads to disclosure of user passwords. Although not directly exploitable for code execution, an attacker could use recovered passwords to gain unauthorized access to the STER system, potentially compromising sensitive occupational safety and health management data and associated administrative functions.

Mitigation

The vulnerability is fixed in STER version 9.5 [1][2]. Users should upgrade to version 9.5 or later. No workarounds are described in the available references. The product is not known to be listed on CISA's Known Exploited Vulnerabilities (KEV) catalog at the time of publication.