PT-2026-40902 · Comarch · Erp Optima
Wojciech Giełda
·
Published
2026-05-14
·
Updated
2026-05-14
·
CVE-2025-68420
CVSS v4.0
7.5
High
| Vector | AV:L/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
Comarch ERP Optima versions prior to 2026.4
Description
The client connects to a database using a high privileged account regardless of the application account used for login. A local attacker controlling the client process can dump its memory to extract credentials, enabling privileged access to the database. This requires the client application to be previously configured, although a user does not need to be logged in.
Recommendations
Update to version 2026.4.
Fix
LPE
Incorrect Privilege Assignment
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Erp Optima