CVE-2026-5310 Overview
A cryptographic key management vulnerability has been identified in Enter Software Iperius Backup versions up to 8.7.2. The vulnerability exists in the IperiusAccounts.ini configuration file, which uses a hard-coded cryptographic key for encrypting sensitive account credentials. An attacker with local access to the system could potentially extract and decrypt stored credentials by leveraging this static encryption key.
Critical Impact
Local attackers can decrypt sensitive account credentials stored in the IperiusAccounts.ini configuration file by exploiting the hard-coded cryptographic key, potentially leading to unauthorized access to backup destinations and connected systems.
Affected Products
- Enter Software Iperius Backup versions up to 8.7.2
- Systems storing sensitive credentials in IperiusAccounts.ini
Discovery Timeline
- April 1, 2026 - CVE-2026-5310 published to NVD
- April 1, 2026 - Last updated in NVD database
Technical Details for CVE-2026-5310
Vulnerability Analysis
This vulnerability falls under CWE-320 (Key Management Errors), specifically involving the use of a hard-coded cryptographic key within the Iperius Backup application. The application stores account credentials in the IperiusAccounts.ini configuration file, encrypting them with a static key embedded in the application code. This design flaw allows any user with local system access and knowledge of the key to decrypt stored credentials.
The attack requires local access to the target system where Iperius Backup is installed. The exploitation complexity is characterized as high, meaning successful attacks require specific conditions to be met, including access to both the configuration file and knowledge of the encryption methodology.
Root Cause
The root cause of this vulnerability stems from improper cryptographic key management practices. Rather than implementing secure key derivation, per-installation unique keys, or leveraging the operating system's credential storage mechanisms (such as Windows Credential Manager or DPAPI), the developers embedded a static encryption key directly in the application. This hard-coded approach means that every installation of the affected Iperius Backup versions uses the identical key for credential encryption, making the encrypted data vulnerable to decryption by anyone who discovers or reverse-engineers this key.
Attack Vector
The attack vector is local, requiring the attacker to have authenticated access to the system where Iperius Backup is installed. The attack proceeds as follows:
- The attacker gains local access to a system running a vulnerable version of Iperius Backup
- The attacker locates and extracts the IperiusAccounts.ini configuration file containing encrypted credentials
- Using the hard-coded cryptographic key (which can be extracted from the application binary or obtained from public disclosures), the attacker decrypts the stored credentials
- The decrypted credentials may provide access to backup destinations, cloud storage accounts, FTP servers, or other configured resources
A proof-of-concept script demonstrating the decryption process has been made publicly available. Technical details can be found in the GitHub Security Advisory and the associated PoC Script.
Detection Methods for CVE-2026-5310
Indicators of Compromise
- Unauthorized access to the IperiusAccounts.ini file located in the Iperius Backup installation directory
- Suspicious file read operations targeting Iperius configuration files from non-Iperius processes
- Evidence of credential decryption tools or scripts (such as decrypt_iperius.py) present on the system
- Unusual login attempts to backup destinations using credentials stored in Iperius Backup
Detection Strategies
- Monitor file access events for the IperiusAccounts.ini configuration file, alerting on access by processes other than the legitimate Iperius Backup service
- Implement endpoint detection rules to identify known PoC tools associated with this vulnerability
- Review audit logs for suspicious PowerShell or Python script executions that may indicate credential extraction attempts
- Deploy file integrity monitoring on Iperius Backup configuration directories
Monitoring Recommendations
- Enable detailed file access auditing on systems running Iperius Backup
- Configure SentinelOne Singularity to monitor for behavioral indicators associated with credential harvesting from backup software
- Establish baseline access patterns for Iperius configuration files to detect anomalous access
- Monitor for lateral movement attempts using credentials that may have been stored in backup software
How to Mitigate CVE-2026-5310
Immediate Actions Required
- Upgrade Iperius Backup to version 8.7.4 or later, which addresses this vulnerability
- Audit systems running affected versions to identify potential credential exposure
- Rotate all credentials stored in Iperius Backup configurations after upgrading
- Restrict local user access to systems running backup software to minimize the attack surface
Patch Information
Enter Software has released version 8.7.4 of Iperius Backup to address this vulnerability. The vendor responded professionally and released the fix promptly after disclosure. Users should download the updated version from the official Iperius Backup download page.
Additional vulnerability details are available through VulDB #354639.
Workarounds
- Restrict file system permissions on the Iperius Backup installation directory and configuration files to administrators only
- Implement strict local access controls to limit which users can access systems running backup software
- Consider using Windows NTFS permissions to prevent non-privileged users from reading configuration files
- Monitor and audit access to backup software configuration files pending the upgrade to version 8.7.4
# Configuration example - Restrict access to Iperius configuration directory on Windows
# Run in elevated PowerShell
icacls "C:\Program Files\Iperius Backup" /inheritance:r
icacls "C:\Program Files\Iperius Backup" /grant:r "BUILTIN\Administrators:(OI)(CI)F"
icacls "C:\Program Files\Iperius Backup" /grant:r "NT AUTHORITY\SYSTEM:(OI)(CI)F"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
