PatchSiren cyber security CVE debrief
CVE-2026-1958 BRI CVE debrief
A critical vulnerability in Klinika XP and KlinikaXP Insertino software products involved hard-coded credentials embedded in application code, enabling unauthorized access to internal services including an FTP server hosting software update packages. An attacker with these credentials could upload malicious files that would be distributed to client machines as legitimate updates, creating a software supply chain compromise vector. The vulnerability was assigned CVSS 4.0 score 8.7 (HIGH severity). Affected versions include KlinikaXP before 5.39.01.01 and KlinikaXP Insertino before 3.1.0.1. The vendor has addressed this by removing hard-coded credentials from code and rotating previously exposed credentials to prevent continued exploitation.
- Vendor
- BRI
- Product
- KlinikaXP Insertino
- CVSS
- HIGH 8.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-03-23
- Original CVE updated
- 2026-05-19
- Advisory published
- 2026-03-23
- Advisory updated
- 2026-05-19
Who should care
Healthcare organizations using KlinikaXP practice management software; IT administrators responsible for medical software deployment; security teams monitoring supply chain integrity; compliance officers responsible for healthcare data protection standards
Technical summary
The vulnerability stems from CWE-798 (Use of Hard-coded Credentials) in KlinikaXP healthcare software products. Hard-coded credentials granted access to an FTP server containing software update packages. The attack chain: (1) attacker obtains credentials from application code or binaries, (2) authenticates to internal FTP server, (3) uploads malicious update package, (4) legitimate clients download and install compromised update. This creates a software supply chain attack with potential for widespread client compromise. CVSS 4.0 vector: AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N. The vendor has remediated by removing embedded credentials and rotating exposed credentials.
Defensive priority
HIGH
Recommended defensive actions
- Inventory all deployments of KlinikaXP and KlinikaXP Insertino to identify versions prior to 5.39.01.01 and 3.1.0.1 respectively
- Upgrade affected installations to KlinikaXP 5.39.01.01 or later, or KlinikaXP Insertino 3.1.0.1 or later
- Verify that previously deployed instances have received and applied the security update
- Review network access controls to restrict FTP and internal service exposure where possible
- Monitor for any anomalous update package activity or unexpected file modifications on client systems
- If unable to immediately patch, consider network segmentation to isolate affected systems from untrusted networks
Evidence notes
Primary evidence source is CERT.PL advisory. CVSS 4.0 vector confirms network attack vector with low attack complexity, no privileges required, and high confidentiality impact. CWE-798 (Use of Hard-coded Credentials) is the assigned weakness. Vendor remediation confirmed through credential rotation and code changes.
Official resources
Disclosed 2026-03-23 via CERT.PL and NVD. The vulnerability was reported through coordinated vulnerability disclosure. No known exploitation in the wild has been confirmed; the issue is not listed in CISA KEV.