| CVE ID | CVE-2025-68420 |
| Publication date | 14 May 2026 |
| Vendor | Comarch |
| Product | ERP Optima |
| Vulnerable versions | All before 2026.4 |
| Vulnerability type (CWE) | Incorrect Privilege Assignment (CWE-266) |
| Report source | Report to CERT Polska |
| CVE ID | CVE-2025-68421 |
| Publication date | 14 May 2026 |
| Vendor | Comarch |
| Product | ERP Optima |
| Vulnerable versions | All before 2026.4 |
| Vulnerability type (CWE) | Use of Hard-coded Credentials (CWE-798) |
| Report source | Report to CERT Polska |
Description
CERT Polska has received a report about vulnerabilities in Comarch ERP Optima software and participated in coordination of their disclosure.
The vulnerability CVE-2025-68420: Comarch ERP Optima client connects to a database using a high privileged account regardless of an application account to which a user logs in. It is possible for a local attacker who controls the client process to dump it's memory, extract credentials and use them to gain a privileged access to the database. In order to exploit this vulnerability, the client application has to be already configured, but a user does not have to be logged in.
The vulnerability CVE-2025-68421: Comarch ERP Optima client makes use of a hard-coded password for a database user. These credentials cannot be changed. It is possible for a remote attacker to gain an access to the database with elevated privileges including executing system commands on a server.
Both issues have been fixed in version 2026.4.
Credits
We thank Wojciech Giełda for the responsible vulnerability report.
More about the coordinated vulnerability disclosure process at CERT Polska can be found at https://cert.pl/en/cvd/.