← back
CVE-2026-41879

Weak password hashing in R-SOFT DMS

CVSS 8.2 HIGHCWE-328
Vexday Risk Score
18Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 8.2EPSS KEV nãoPoC Nuclei Metasploit Patch
Lifecycle
10 Jul 2026Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
R-SOFT DMS stores superadmin credentials using a non-salted nested MD5 hash. This allows an attacker who obtain password hash to decode superadmin credentials. Critically, this password cannot be changed except by modifying the configuration file. This issue was fixed in version v3.17-2000.
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Affected products
R-SOFT SERWIS · DMS