Skip to content
News /

CVE-2026-25600 — Credential Exposure Vulnerability in Trac PDBM

Summary

A vulnerability has been identified in Trac d.o.o. Process Database Manager (PDBM). The application contains a hard‑coded cryptographic secret embedded directly within the executable binary. This secret is used by the product’s internal encryption and decryption routines, including the mechanism responsible for decrypting credentials stored in the application’s configuration file.

An attacker with local high privileges on the host system may extract the hard‑coded secret from the executable and use it to decrypt the administrative password stored in the configuration file. Successful exploitation enables the attacker to authenticate as an administrative user and perform unauthorized actions within the PDBM application and the connected ICS/OT environment.

Identifiers

CVE-2026-25600
Vendor: Trac d.o.o.
Product: PDBM (Process Database Manager)
Vulnerability: Hard-coded secret keys stored in an executable (Credential Exposure)
CVSS score: 6.4 (CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H)
CWE-798: Use of Hardcoded Credentials

Vulnerable products

Affected Version: PDBM 1.0.0.0

The vulnerability was effectively resolved starting with PDBM 2.0.0.0.

Details

The PDBM application relies on a static, hard‑coded secret embedded in the PDBM.exe executable. This secret is used by the application’s encryption routines, including the function responsible for decrypting credentials stored in the product’s configuration file. Because the secret is constant across installations, any attacker with sufficient local privileges can extract it from the binary.

Once obtained, the secret allows the attacker to decrypt the stored password and authenticate as the user defined in the configuration file. In the affected version, this user account is configured with administrative privileges, granting full access to PDBM’s management interface and its underlying operational functions.

The vulnerable executable has the following SHA‑256 hash:

62901707602CB8822B7A84B1B361961C0C0562D24E6CDE4F4A39016ACC51F1CE

Impact

Exploitation of this vulnerability allows an attacker with existing high‑privilege access on the host system to recover the administrative credentials used by the PDBM application. Because the application relies on a hard‑coded secret to decrypt the password stored in its configuration file, an attacker who extracts this secret can decrypt the stored credentials and authenticate as the administrative user. This grants full control over the PDBM interface and its operational functions.

With decrypted credentials, an attacker could gain unauthorized access to connected ICS/OT systems, potentially enabling manipulation of industrial processes, operational disruption, or lateral movement within critical infrastructure networks.

Although exploitation requires local privileged access within segregated and firewall protected OT network, the consequences of successful compromise are significant due to the elevated permissions associated with the recovered credentials and the critical role PDBM may play in industrial operations.

We recommend that when assessing the risks associated with reported vulnerabilities, organisations do not rely solely on the base CVSS score, but adjust the risk level to their specific environment by using the Environmental score (Environmental – Modified Base Metrics). Such an assessment can only be performed with knowledge of how the affected product is deployed within the organisation’s operational context.

Exploitation status

There are currently no known exploits in circulation that target this vulnerability.

Mitigation

The vulnerability was addressed in version 2.0.0.0, which has been in use since 2020. This version no longer contains hard-coded keys in the executable file and instead uses a hash-based authentication mechanism.

Additional measures (good practice):

  • Access Control: Ensure that access to the application environment and configuration files is restricted to authorized personnel only.
  • Monitoring: Implement monitoring and logging to detect any unauthorized access attempts or suspicious activities.


Timeline

  • 15 January 2026 — Initial report submitted to SI‑CERT regarding the possibility of vulnerable Trac products.
  • 21 January 2026 — Vulnerability researcher provided detailed technical information about the identified issues.
  • 3 Februar 2026 — Vendor formally notified of the vulnerability.
  • 29 May 2026 — Advisory published

Acknowledgments

The vulnerability was identified and responsibly disclosed by Mijo Mišić, penetration tester at Combis d.o.o., Croatia.

Contact

SI-CERT

ARNES
Tehnološki park 18, 1000 Ljubljana

T: 01 479 88 00
E: info@cert.si

Read also

News /

CVE-2026-25599 – Missing authentication and clear‑text data transmission of Orca heat pumps

Summary Missing authentication and clear‑text transmission of data from the heat pumps to the control server, combined with the absence of input validation on aggregated data, can lead to stored …
More
News /

CVE-2025-42611 – Authentication bypass in multiple RouterOS services caused by improper certificate validation

Summary RouterOS provides various services that rely on correct verification of client and server certificates to secure confidentiality and integrity of communications. This includes OpenVPN, CAPsMAN, Dot1x (802.1X), among others. …
More
News /

VANTAGE – Vulnerability Assessment aNd Testing Automation for Global Enhancement

Project coordinator Diadikasia Business Consulting Symvouloi Epicheiriseon AE Diadikasia Business Consultants SA, GR   Project partners Project duration              1 January 2026 – 31 December 2028 (36 months) Summary VANTAGE (Vulnerability Assessment …
More