Full Report
Use of Hard-coded Credentials vulnerability (CVE-2026-42251) has been found in KS-SOMED software.
Analysis Summary
# Vulnerability: Hard-coded Credentials in KAMSOFT KS-SOMED Update Modules
## CVE Details
- **CVE ID**: CVE-2026-42251
- **CVSS Score**: Not explicitly provided (Estimated High/Critical based on potential for supply chain compromise)
- **CWE**: CWE-798 (Use of Hard-coded Credentials)
## Affected Systems
- **Products**: KAMSOFT KS-SOMED
- **Versions**:
- Modules **KSPLUPDFTP.exe**: All versions through 30.00.00.056
- Modules **ANEKSKLIENT.EXE**: All versions through 29.00.02.026
- **Configurations**: Systems utilizing the aforementioned modules for software updates.
## Vulnerability Description
The KS-SOMED software contained hard-coded credentials within its update modules. These credentials granted unauthorized access to the FTP server responsible for hosting the application's update packages. Because the credentials were embedded directly in the executable code, they could be extracted and used by an attacker to authenticate to the update infrastructure.
## Exploitation
- **Status**: Noted as reported and coordinated; no specific mention of active exploitation in the wild (though the risk is high).
- **Complexity**: Low (Credential extraction from binaries is a standard technique).
- **Attack Vector**: Network (Access to the FTP server via the internet).
## Impact
- **Confidentiality**: High (Access to update server contents).
- **Integrity**: High (Potential to upload malicious update files to be distributed to clients).
- **Availability**: Medium (Potential to disrupt the update mechanism).
**Note**: This vulnerability poses a significant supply chain risk, as an attacker could potentially distribute malware disguised as legitimate software updates.
## Remediation
### Patches
The vendor has released updates to address this flaw. Users should update to versions exceeding the following:
- **KSPLUPDFTP.exe**: Version 30.00.00.057 or higher.
- **ANEKSKLIENT.EXE**: Version 29.00.02.027 or higher.
### Workarounds
- The vendor/CERT Polska reported that access granted by the previously exposed credentials has been limited to **read-only** on the server side to prevent the injection of malicious files.
- Ensure that network egress rules restrict unauthorized FTP connections if the update modules are not currently in use.
## Detection
- **Indicators of Compromise**: Monitor FTP logs for the update server for unusual login activity or file uploads originating from non-authorized administrative IPs.
- **Detection Methods**: Auditing local installations for the presence of the vulnerable module versions listed above.
## References
- **CERT Polska Advisory**: hxxps[://]cert[.]pl/en/posts/2026/06/vulnerability-in-ks-somed-software/
- **CVE Record**: hxxps[://]www[.]cve[.]org/CVERecord?id=CVE-2026-42251
- **CWE-798**: hxxps[://]cwe[.]mitre[.]org/data/definitions/798[.]html