CERT-PL discloses hardcoded-credential supply-chain flaw in KS-SOMED healthcare software (CVE-2026-42251)
From CTI Daily Brief — 2026-06-02 · published 2026-06-02 · view item permalink →
CERT Polska disclosed CVE-2026-42251 (CWE-798, CVSS 4.0 8.7) in KAMSOFT's KS-SOMED healthcare practice-management suite, widely deployed across Poland's National Health Service (NFZ) network (CERT Polska, 2026-06-01 · ENISA EUVD, 2026-06-01). The KSPLUPDFTP.exe update client (through 30.00.00.056) and ANEKSKLIENT.EXE (through 29.00.02.026) shipped hardcoded FTP credentials for the server hosting the application's update packages. An attacker holding those credentials could upload a malicious update that the auto-update mechanism would then distribute and install on connected client machines as a legitimate vendor update — T1195.002 Compromise Software Supply Chain. KAMSOFT has removed the hardcoded credentials and restricted the previously exposed access to read-only.
Why it matters to us: A single set of leaked update-server credentials can trojanise every installation downstream — the same class of risk seen repeatedly across the npm and Packagist ecosystems, here against national public-healthcare software. Hunt for unexpected FTP connections to vendor update servers from non-vendor source IPs and for unsigned-binary replacement in clinical-software install directories.