Calero VeraSMART Hardcoded AES Keys in Veramark.Framework.dll Allow Decryption of Service Credentials

Vulnerability

In Calero VeraSMART versions prior to 2026 R1, hardcoded AES encryption keys are embedded within the Veramark.Framework.dll file, specifically in the Veramark.Core.Config class. These keys encrypt the passwords of service accounts stored in the application settings file. An attacker with local access can extract these keys, decrypt the credentials, and use them to authenticate to the Windows host. This could lead to local privilege escalation, depending on the rights associated with the service account.

Impact

Exploitation of this vulnerability allows for the decryption of service account passwords, which can be used to authenticate to the Windows host. This could result in local privilege escalation, depending on the privileges of the service account.

Added: Feb 13, 2026, 9:30 PM

Updated: Feb 14, 2026, 12:37 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

2.9

remediation

0.0

relevance

2.8

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

2.9

remediation

0.0

relevance

2.8

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Calero VeraSMART Hardcoded AES Keys in Veramark.Framework.dll Allow Decryption of Service Credentials

Vulnerability

Impact

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating