PT-2026-40902 · Comarch · Erp Optima

Wojciech Giełda

·

Published

2026-05-14

·

Updated

2026-05-14

·

CVE-2025-68420

CVSS v4.0

7.5

High

VectorAV:L/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Name of the Vulnerable Software and Affected Versions Comarch ERP Optima versions prior to 2026.4
Description The client connects to a database using a high privileged account regardless of the application account used for login. A local attacker controlling the client process can dump its memory to extract credentials, enabling privileged access to the database. This requires the client application to be previously configured, although a user does not need to be logged in.
Recommendations Update to version 2026.4.

Fix

LPE

Incorrect Privilege Assignment

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2025-68420

Affected Products

Erp Optima