CVE-2025-68421

Summary

Comarch ERP Optima client makes use of a hard-coded password for a database user. These credentials cannot be changed. It is possible for a remote attacker to gain an access to the database with elevated privileges including executing system commands on a server. This issue has been fixed in version 2026.4

Affected Software

VendorProductVersion RangeStatus
ComarchERP Optima0 < 2026.4affected

Weaknesses

  • CWE-798: CWE-798 Use of Hard-coded Credentials

Workarounds

Since these accounts are used for backward compatibility only, in some cases it is possible to disable them in the SQL server.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References