Allen F

**Name of the Vulnerable Software and Affected Versions** MEDHOST Connex (affected versions not specified) **Description** The issue concerns hard-coded credentials in MEDHOST Connex, which is used for customer database access. An attacker with knowledge of these credentials and direct communication with the database may obtain or modify sensitive patient and financial information. The application utilizes an IBM i DB2 user account, named `HMSCXPDN`, with a hard-coded password that cannot be changed by customers. This account has elevated DB2 roles, allowing access to all database objects or tables. Data can be accessed through `ODBC`, `FTP`, and `TELNET`. Even customers without Connex installed are vulnerable because the MEDHOST setup program creates this account. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.