CVE-2026-25600

6.4 MEDIUM

The PDBM application relies on a static, hard‑coded secret embedded in the PDBM.exe executable

Published: 2026-06-01 · Last updated: 2026-06-01

Severity and scoring

CVSS: 6.4 MEDIUM
Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-798

Description

The PDBM application relies on a static, hard‑coded secret embedded in the PDBM.exe executable. This secret is used by the application’s encryption routines, including the function responsible for decrypting credentials stored in the product’s configuration file. Because the secret is constant across installations, any attacker with sufficient local privileges can extract it from the binary. Once obtained, the secret allows the attacker to decrypt the stored password and authenticate as the user defined in the configuration file. In the affected version, this user account is configured with administrative privileges, granting full access to PDBM’s management interface and its underlying operational functions.

Source: NVD

References

Related CVEs

Same CWE

CVE-2026-50083 — The Aqara IAM/SSO Gateway (gw-builder.aqara.com) used a hardcoded OAuth client credential, which is an instance of "CWE-798: Use of Hard-... (9.1 CRITICAL)
CVE-2026-10557 — The Yarbo Android and iOS applications contain hard-coded MQTT broker credentials that are identical for all users and all devices (9.8 CRITICAL)
CVE-2026-11849 — The iRM-IEI Remote Management developed by IEI Integration Corp has a Hardcoded Credentials vulnerability, allowing unauthenticated remo... (9.8 CRITICAL)
CVE-2026-47281 — Improper input validation in Visual Studio Code allows an unauthorized attacker to elevate privileges over a network (9.6 CRITICAL)
CVE-2026-11414 — A hard-coded cryptographic key is used by Altium Enterprise Server to sign file download URLs in the Vault service