Full Report
CERT Polska has received a report about 4 vulnerabilities (from CVE-2026-35095 to CVE-2026-35098) found in KTM System e-BOK software.
Analysis Summary
# Vulnerability: Multiple Flaws in KTM System e-BOK
## CVE Details
- **CVE ID:** CVE-2026-35095
- **CVSS Score:** Not explicitly provided in source (Estimated Medium/High)
- **CWE:** CWE-384 (Session Fixation)
- **CVE ID:** CVE-2026-35096
- **CVSS Score:** Not explicitly provided in source (Estimated Medium/High)
- **CWE:** CWE-352 (Cross-Site Request Forgery)
- **CVE ID:** CVE-2026-35097
- **CVSS Score:** Not explicitly provided in source (Estimated Low/Medium)
- **CWE:** CWE-521 (Weak Password Requirements)
- **CVE ID:** CVE-2026-35098
- **CVSS Score:** Not explicitly provided in source (Estimated High when chained with 35097)
- **CWE:** CWE-307 (Improper Restriction of Excessive Authentication Attempts)
## Affected Systems
- **Products:** KTM System e-BOK (Electronic Customer Service Office)
- **Versions:** All versions prior to June 2026 (06.2026)
- **Configurations:** Default web-facing installations are primary targets.
## Vulnerability Description
KTM System e-BOK suffered from four distinct security flaws that, when combined, significantly compromised user account security:
1. **Session Fixation (CVE-2026-35095):** The application allowed client-side session identifiers to persist across the authentication boundary. An attacker could pre-set a cookie value, and if the victim logged in using that browser state, the attacker could hijack the session.
2. **CSRF (CVE-2026-35096):** Critical account actions (email and password changes) lacked anti-CSRF protections, allowing attackers to force authenticated users to change their credentials by visiting a malicious site.
3. **Weak Credential Policy (CVE-2026-35097):** The system restricted passwords to a maximum of six numeric digits, forbidding complex characters.
4. **Brute-Force Vulnerability (CVE-2026-35098):** No rate-limiting or lockouts were enforced on login attempts.
## Exploitation
- **Status:** PoC availability indicated by the nature of the report; no current evidence of exploitation in the wild (CVD process).
- **Complexity:** Low (CVE-2026-35097 and 35098 allow for automated brute-forcing with minimal effort).
- **Attack Vector:** Network
## Impact
- **Confidentiality:** High (Full account takeover and access to customer data).
- **Integrity:** High (Unauthorized modifications of account emails and passwords).
- **Availability:** Medium (Potential account lockout or mass account compromise).
## Remediation
### Patches
- **Update to Version 06.2026:** Users should upgrade to the version released in June 2026 or later, which addresses all four identified vulnerabilities.
### Workarounds
- No specific software workarounds provided. It is recommended to place the application behind a Web Application Firewall (WAF) to detect brute-force attempts and CSRF patterns until patching is complete.
## Detection
- **Indicators of Compromise:**
- High frequency of HTTP 200/401 sequences from single IP addresses (Brute-force).
- Unexpected account email changes in system logs.
- **Detection Methods:**
- Audit logs for repeated failed login attempts.
- Verification of session cookie behavior (checking if session IDs change upon login).
## References
- CERT Polska Advisory: hxxps[://]cert[.]pl/en/posts/2026/06/vulnerabilities-in-ktm-system-e-bok/
- CVE Records:
- hxxps[://]www[.]cve[.]org/CVERecord?id=CVE-2026-35095
- hxxps[://]www[.]cve[.]org/CVERecord?id=CVE-2026-35096
- hxxps[://]www[.]cve[.]org/CVERecord?id=CVE-2026-35097
- hxxps[://]www[.]cve[.]org/CVERecord?id=CVE-2026-35098