CVE-2026-42251

Vulnerability

CVE-2026-42251 describes the use of hard-coded credentials in the KS-SOMED healthcare management suite. The FTP server that hosts application update packages is accessible with these embedded credentials, which are present in two modules: KSPLUPDFTP.exe up to version 30.00.00.056 and ANEKSKLIENT.EXE up to version 29.00.02.026. An attacker who discovers the credentials can authenticate to the FTP server without any additional authentication or privileges [1].

Exploitation

An unauthorized attacker with network access to the FTP server can use the hard-coded credentials to log in. Once authenticated, the attacker can upload a malicious update package to the server. The compromised update may then be distributed to client machines and installed as though it were a legitimate update. No further authentication or user interaction is required for the upload; the exploit relies on the attacker being able to reach the FTP server over the network [1].

Impact

A successful attack results in the distribution and installation of a malicious update on client systems, which can lead to arbitrary code execution, data theft, or further compromise of the affected environment. The attacker gains the ability to replace legitimate update files with a tainted version, effectively achieving a man-in-the-middle-like supply chain attack on the update process. The provided reference notes that after the fix was implemented, the previously exposed credentials were limited to read-only access [1].

Mitigation

The vendor, KAMSOFT S.A., has addressed the issue by removing the hard-coded credentials from the code and changing the update process. The access granted by the previously exposed credentials has been limited to read-only on the FTP server. Users should update to the latest versions of the affected modules (beyond 30.00.00.056 for KSPLUPDFTP.exe and beyond 29.00.02.026 for ANEKSKLIENT.EXE) to obtain the fix. No other workarounds are disclosed in the available reference [1].