CVE-2025-68421 Overview
CVE-2025-68421 is a hard-coded credentials vulnerability in the Comarch ERP Optima client. The application ships with a database user account whose password is embedded in the client and cannot be changed by administrators. An attacker on an adjacent network can extract these credentials and authenticate to the backing database with elevated privileges. This access permits execution of system commands on the database server, extending the impact beyond data exposure to full server compromise. The issue is tracked as CWE-798: Use of Hard-coded Credentials and has been fixed in Comarch ERP Optima version 2026.4.
Critical Impact
Remote attackers with adjacent network access can authenticate to the Comarch ERP Optima database with elevated privileges and execute operating system commands on the database server.
Affected Products
- Comarch ERP Optima client versions prior to 2026.4
- Database backends configured with the hard-coded service account
- Deployments where the database server is reachable from the adjacent network
Discovery Timeline
- 2026-05-14 - CVE-2025-68421 published to NVD
- 2026-05-14 - Last updated in NVD database
Technical Details for CVE-2025-68421
Vulnerability Analysis
The Comarch ERP Optima client embeds static credentials for a privileged database user inside the application binary or configuration. Because the password is hard-coded, administrators cannot rotate it without vendor intervention. Any attacker who recovers the credentials, whether through reverse engineering of the client, memory inspection, or traffic analysis on an adjacent network, obtains a stable authentication path to the database. The database account carries privileges sufficient to execute system commands on the host running the database engine. This converts a credential disclosure into remote code execution on backend infrastructure.
Root Cause
The root cause is the use of static, non-configurable credentials shipped with the client, classified as CWE-798. The same secret is present across all customer installations, so disclosure in one environment compromises every deployment using the affected versions. The associated database principal also holds excessive privileges, permitting OS command execution rather than restricted data access.
Attack Vector
Exploitation requires adjacent network access to the database service used by Comarch ERP Optima. An attacker recovers the embedded credentials from the client, then connects directly to the database server using a standard database client. Once authenticated, the attacker issues queries or stored procedures that invoke operating system commands, achieving code execution under the database service account. No user interaction or prior authentication is required. Verified technical details are available in the CERT Polska advisory and the Comarch ERP product overview.
Detection Methods for CVE-2025-68421
Indicators of Compromise
- Database logins from workstations or hosts that do not normally run the Comarch ERP Optima client
- Execution of xp_cmdshell, sp_OACreate, or equivalent OS command primitives by the embedded service account
- Outbound connections from the database server to unexpected internal or external hosts following a login event
Detection Strategies
- Audit database authentication logs for the hard-coded account and correlate source IP addresses against an allow-list of legitimate ERP clients
- Alert on any invocation of OS command execution procedures by the Comarch service account
- Monitor for new processes spawned by the database engine, including cmd.exe, powershell.exe, or shell interpreters on Linux backends
Monitoring Recommendations
- Forward database audit logs and host process telemetry from the database server into a central analytics platform for correlation
- Track configuration drift on the database server, including changes to xp_cmdshell enablement and role membership for the embedded account
- Baseline normal client-to-database traffic patterns and alert on connections originating outside the ERP client subnet
How to Mitigate CVE-2025-68421
Immediate Actions Required
- Upgrade all Comarch ERP Optima clients and supporting components to version 2026.4 or later
- Restrict network access to the database server so that only authorized ERP application hosts can reach it
- Disable OS command execution features such as xp_cmdshell on the database engine unless explicitly required
- Review database audit logs for prior use of the embedded account from unexpected sources
Patch Information
Comarch has fixed this issue in Comarch ERP Optima version 2026.4. Administrators should plan an upgrade across all client installations and verify that the database account associated with the hard-coded credential is rotated or decommissioned after the upgrade. Refer to the CERT Polska advisory for coordinated disclosure details.
Workarounds
- Place the database server behind a firewall that permits inbound connections only from validated ERP client IP ranges
- Remove the embedded account from privileged database roles where business operations allow, and revoke permissions to execute OS command procedures
- Segment the ERP environment into a dedicated VLAN to reduce adjacent-network exposure until the patch is deployed
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
