Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.5
Calero VeraSMART Stores Passwords in Readable Format
CVE-2026-26334
Summary
Calero VeraSMART versions before 2026 R1 store passwords in a way that makes them easily accessible to anyone with local access to the system. This allows an attacker to get the passwords and use them to gain control of the system if the account has the right permissions. To fix this, update to version 2026 R1 or later, which fixes the issue.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| calero | verasmart | <= 2026.0 | – |
| calero | verasmart | 2026.0 | – |
Original title
Calero VeraSMART versions prior to 2026 R1 contain hardcoded static AES encryption keys within Veramark.Framework.dll (Veramark.Core.Config class). These keys are used to encrypt the password of th...
Original description
Calero VeraSMART versions prior to 2026 R1 contain hardcoded static AES encryption keys within Veramark.Framework.dll (Veramark.Core.Config class). These keys are used to encrypt the password of the service account stored in C:\\VeraSMART Data\\app.settings. An attacker with local access to the system can extract the hardcoded keys from the Veramark.Framework.dll module and decrypt the stored credentials. The recovered credentials can then be used to authenticate to the Windows host, potentially resulting in local privilege escalation depending on the privileges of the configured service account.
nvd CVSS3.1
7.8
nvd CVSS4.0
8.5
Vulnerability type
CWE-798
Use of Hard-coded Credentials
- https://www.calero.com/ Product
- https://www.vulncheck.com/advisories/calero-verasmart-2026-r1-hardcoded-static-a... Third Party Advisory
Published: 13 Feb 2026 · Updated: 10 Mar 2026 · First seen: 6 Mar 2026