exploitDog

CVE-2025-4876

Опубликовано: 19 мая 2025

Источник: nvd

CVSS3: 6

CVSS3: 4.4

EPSS Низкий

Описание

ConnectWise-Password-Encryption-Utility.exe in ConnectWise Risk Assessment allows an attacker to extract a hardcoded AES decryption key via reverse engineering. This key is embedded in plaintext within the binary and used in cryptographic operations without dynamic key management. Once obtained the key can be used to decrypt CSV input files used for authenticated network scanning.

Ссылки

https://github.com/packetlabs/vulnerability-advisory/blob/main/Disclosures/PL-2025-11315/README.md
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:connectwise:risk_assessment:*:*:*:*:*:*:*:*

Версия до 2023-07-01 (исключая)

EPSS

Процентиль: 1%

0.00011

Низкий

6 Medium

CVSS3

4.4 Medium

CVSS3

Дефекты

CWE-321

Связанные уязвимости

GHSA-prf9-gx8m-9cfq

CVSS3: 6

github

9 месяцев назад

ConnectWise-Password-Encryption-Utility.exe in ConnectWise Risk Assessment allows an attacker to extract a hardcoded AES decryption key via reverse engineering. This key is embedded in plaintext within the binary and used in cryptographic operations without dynamic key management. Once obtained the key can be used to decrypt CSV input files used for authenticated network scanning.

EPSS

Процентиль: 1%

0.00011

Низкий

6 Medium

CVSS3

4.4 Medium

CVSS3

Дефекты

CWE-321