How is CVE-2026-42251 exploited?

Network reachability (required): The attacker must be able to reach the application's FTP update server over the network; the CVSS vector specifies AV:N, meaning no physical or local access is needed. Authentication (not-required): The credentials required to log in are hard-coded in the client binary, so any attacker who extracts them faces no effective authentication barrier (PR:N). Victim interaction (not-required): No victim action is needed to expose the FTP server; the attacker operates entirely against the server-side endpoint without requiring a user to click or open anything (UI:N). Attack complexity (info): Attack complexity is low (AC:L): exploiting the hard-coded credentials requires no race condition, special timing, or environmental prerequisite beyond network access to the FTP server.

What is the impact of CVE-2026-42251?

An attacker reads any files hosted on the FTP update server, including legitimate update packages, using the exposed credentials (high confidentiality impact on the vulnerable component). An attacker uploads a malicious file to the FTP update server, replacing or supplementing legitimate update packages with trojanized ones. Client machines that pull and install the tampered update package execute attacker-controlled code under the guise of a trusted software update. Depending on the privileges of the update installer on client machines, the attacker gains persistent code execution across every host in the KS-SOMED deployment that applies the poisoned update.

Back to search

HIGHCVE-2026-42251Published 2026-06-01Modified 2026-06-01CNA CERT-PL

CVE-2026-42251: Hard-coded credentials in KS-SOMED

Use of hard-coded credentials in KS-SOMED allowed an unauthorized attacker access to FTP server that hosted the application's update packages. The attacker with these credentials could upload a malicious update file, which then may have been distributed and installed on client machines as a legitimate update. This issue affects KS-SOMED with modules: KSPLUPDFTP.exe up to 30.00.00.056 and ANEKSKLIENT.EXE up to 29.00.02.026 Beside removing the hard-coded credentials from the code and changing the update process, access granted by previously exposed credentials was limited to read-only.

CVSS v4.0: 8.7
Severity: HIGH
Fixed in: —
Affected Products: 2

HarborGuard Analysis

Synopsis

Hard-coded credentials in KAMSOFT KS-SOMED (modules KSPLUPDFTP.exe up to 30.00.00.056 and ANEKSKLIENT.EXE up to 29.00.02.026) allow any unauthenticated attacker who discovers the embedded credentials to authenticate to the application's FTP update server over the network. No prior account or privilege is needed; the credentials are baked into the client binary. Successful exploitation enables the attacker to upload a malicious update package that may be distributed to and silently installed on end-user machines as a legitimate software update. HarborGuard tracks this advisory and will make a patched-image rebuild available as soon as upstream fix versions are published.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images in connected registries and CI/CD pipelines, including custom-built images that bundle affected KS-SOMED modules.

Available

Triage

HarborGuard scores this finding at CVSS 8.7 (HIGH) using the published v4.0 vector and weighs it against each environment's compliance policy to determine urgency; findings are then routed to the appropriate team inbox within the customer org based on configured ownership rules.

Available

Patch

Because no fix version has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment an upstream fix is released. In the interim, customers can use HarborGuard's policy controls to flag or block images containing the affected module versions and apply compensating controls such as network-policy isolation of the FTP update path.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must be able to reach the application's FTP update server over the network; the CVSS vector specifies AV:N, meaning no physical or local access is needed.
AuthenticationNot required
The credentials required to log in are hard-coded in the client binary, so any attacker who extracts them faces no effective authentication barrier (PR:N).
Victim interactionNot required
No victim action is needed to expose the FTP server; the attacker operates entirely against the server-side endpoint without requiring a user to click or open anything (UI:N).
Attack complexityDetail
Attack complexity is low (AC:L): exploiting the hard-coded credentials requires no race condition, special timing, or environmental prerequisite beyond network access to the FTP server.

Blast Radius

An attacker reads any files hosted on the FTP update server, including legitimate update packages, using the exposed credentials (high confidentiality impact on the vulnerable component).
An attacker uploads a malicious file to the FTP update server, replacing or supplementing legitimate update packages with trojanized ones.
Client machines that pull and install the tampered update package execute attacker-controlled code under the guise of a trusted software update.
Depending on the privileges of the update installer on client machines, the attacker gains persistent code execution across every host in the KS-SOMED deployment that applies the poisoned update.

How HarborGuard Handles This

Available on HarborGuard: this CVE is actively tracked with no upstream fix version published as of the CVE publication date (2026-06-01). HarborGuard re-evaluates the advisory on every ingest cycle and will automatically make a patched-image rebuild available the moment KAMSOFT releases a fixed version of KSPLUPDFTP.exe or ANEKSKLIENT.EXE. While no patch exists, customers can apply compensating controls through HarborGuard's policy engine: use network-policy isolation to restrict which hosts can reach the FTP update endpoint, apply egress filtering to prevent unauthorized FTP connections from application containers, and configure pipeline gates to block promotion of any image containing the affected module versions. For customers with auto-remediation enabled, a rebuilt image and regression-test run will be triggered automatically and a PR opened against affected workloads as soon as a fix version is published upstream.

See how HarborGuard automates this

Affected packages

KAMSOFT / KS-SOMED
≤ 30.00.00.056
KAMSOFT / KS-SOMED
≤ 29.00.02.026

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

References

Metrics

Get notified