CVE-2025-68420 Overview
CVE-2025-68420 affects Comarch ERP Optima, a Polish enterprise resource planning product. The client application connects to its backend database using a single high-privileged account, regardless of which application-level user logs in. A local attacker who controls the client process can dump its memory, recover the embedded credentials, and reuse them for privileged database access. Exploitation does not require an authenticated application session — the client only needs to be configured. The issue is tracked under [CWE-266] (Incorrect Privilege Assignment) and has been fixed in version 2026.4.
Critical Impact
A local attacker can extract database credentials from client process memory and gain privileged access to the Comarch ERP Optima database without logging into the application.
Affected Products
- Comarch ERP Optima client (versions prior to 2026.4)
- Deployments where the client has been configured to connect to the ERP database
- Workstations running the Comarch Optima desktop client
Discovery Timeline
- 2026-05-14 - CVE-2025-68420 published to NVD
- 2026-05-14 - Last updated in NVD database
- Advisory - Published by CERT Poland
Technical Details for CVE-2025-68420
Vulnerability Analysis
The Comarch ERP Optima client maintains its database connection under a shared, high-privileged service account. Application-level authentication and authorization are enforced inside the client, not at the database layer. Every workstation therefore holds credentials that grant elevated access to the backend database.
A local attacker with access to the client process can read its memory and locate these credentials. Because the credentials are loaded once the client is configured, an active user session is not required for extraction. After recovering the credentials, the attacker can connect directly to the database and bypass all application-side access controls.
This design also undermines auditing. Database-side logs attribute every action to the shared service account rather than to the Optima user who initiated it.
Root Cause
The root cause is incorrect privilege assignment ([CWE-266]). The application uses a single high-privileged database principal for all users instead of mapping application identities to least-privileged database roles. Sensitive credentials remain resident in client process memory.
Attack Vector
The attack vector is local. An attacker requires code execution or process-memory read access on a workstation where the Optima client is installed and configured. The attacker dumps the client process memory using standard operating system tooling, parses the dump to extract the database username and password, and then connects to the database server directly using any compatible client. No application login is needed and no user interaction is required.
Verified exploitation code is not available for this issue. Refer to the CERT Poland advisory for additional technical context.
Detection Methods for CVE-2025-68420
Indicators of Compromise
- Process memory dump artifacts (.dmp files, MiniDumpWriteDump invocations) targeting the Comarch Optima client process on user workstations.
- Database logons using the shared Optima service account from hosts or applications other than the official client.
- Outbound database connections from unusual processes such as sqlcmd.exe, PowerShell, or third-party SQL clients on Optima workstations.
Detection Strategies
- Hunt for processes opening a handle to the Optima client with PROCESS_VM_READ or PROCESS_QUERY_INFORMATION rights from non-system parents.
- Correlate Windows Sysmon Event ID 10 (ProcessAccess) targeting the Optima client image with subsequent SQL Server authentication events for the shared account.
- Alert on SQL Server logon events where the source workstation, application name, or hostname does not match the approved Optima client fingerprint.
Monitoring Recommendations
- Enable SQL Server login auditing and forward events to a central SIEM for correlation with endpoint telemetry.
- Baseline the legitimate process names, hostnames, and network paths used by the Optima client and alert on deviations.
- Monitor for credential-dumping tools such as procdump, Task Manager memory dumps, and comsvcs.dll MiniDump exports on workstations running the client.
How to Mitigate CVE-2025-68420
Immediate Actions Required
- Upgrade the Comarch ERP Optima client to version 2026.4 or later on every workstation.
- Rotate the database credentials used by the Optima client after upgrading, because exposed credentials remain valid until changed.
- Restrict local administrator rights on workstations running the client to limit who can read process memory.
Patch Information
Comarch has fixed this issue in Optima version 2026.4. Apply the vendor update across all client installations. Review the CERT Poland advisory for CVE-2025-68420 and Comarch Optima product information for vendor-specific upgrade guidance.
Workarounds
- Network-segment the database server so only approved Optima client subnets can reach it, reducing the value of stolen credentials.
- Enforce application allowlisting on Optima workstations to block unauthorized SQL clients and memory-dumping utilities.
- Apply least-privilege controls on the shared database account where business processes allow, removing rights that are not required by the client.
- Increase database-side auditing on the shared Optima account to detect anomalous queries originating outside the client.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
