CVE-2026-26334
Published: 13 February 2026
Summary
CVE-2026-26334 is a high-severity Use of Hard-coded Credentials (CWE-798) vulnerability in Calero Verasmart. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Credentials In Files (T1552.001); ranked at the 0.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SC-12 (Cryptographic Key Establishment and Management).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires proper establishment and management of cryptographic keys, directly preventing the use of hardcoded static AES keys that attackers can extract from Veramark.Framework.dll to decrypt service account credentials.
Mandates secure management and protection of authenticators such as service account passwords, preventing their storage in a form recoverable via extractable hardcoded encryption keys.
Ensures timely flaw remediation, such as upgrading to Calero VeraSMART 2026 R1, to eliminate the hardcoded keys vulnerability before exploitation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Hardcoded AES keys in DLL enable decryption of service account password from local config file (T1552.001); recovered creds allow authentication as that account for local priv-esc (T1078.003).
NVD Description
Calero VeraSMART versions prior to 2026 R1 contain hardcoded static AES encryption keys within Veramark.Framework.dll (Veramark.Core.Config class). These keys are used to encrypt the password of the service account stored in C:\\VeraSMART Data\\app.settings. An attacker with local access to the…
more
system can extract the hardcoded keys from the Veramark.Framework.dll module and decrypt the stored credentials. The recovered credentials can then be used to authenticate to the Windows host, potentially resulting in local privilege escalation depending on the privileges of the configured service account.
Deeper analysisAI
CVE-2026-26334 is a vulnerability in Calero VeraSMART versions prior to 2026 R1, stemming from hardcoded static AES encryption keys embedded in the Veramark.Framework.dll module, specifically within the Veramark.Core.Config class. These keys are used to encrypt the password of the service account, which is stored in the C:\VeraSMART Data\app.settings file. The issue, classified under CWE-798 (Use of Hard-coded Credentials), has a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
An attacker with local access to the affected system and low privileges can extract the hardcoded keys directly from the Veramark.Framework.dll module and use them to decrypt the service account credentials stored in the app.settings file. The recovered credentials enable authentication to the Windows host as the service account, potentially leading to local privilege escalation depending on the privileges assigned to that account.
Advisories indicate that upgrading to Calero VeraSMART 2026 R1 resolves the issue by addressing the hardcoded keys. Further details are available from the vendor at https://www.calero.com/ and the VulnCheck advisory at https://www.vulncheck.com/advisories/calero-verasmart-2026-r1-hardcoded-static-aes-keys-allow-decryption-of-service-credentials.
Details
- CWE(s)