CVE-2025-4876
Essential information
- Published
- 19/05/2025 16:15
- Modified
- 19/05/2025 16:15
- Author
- —
- Creator
- —
- CVSS
- 6.0 MEDIUM (v3.1)
- CISA KEV
- No
- CWE
- —
- CVSS vector
-
—
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N—
CVSS metrics
- Access vector
- —
- Access complexity
- —
- Authentication
- —
- Confidentiality impact
- —
- Integrity impact
- —
- Availability impact
- —
- Exploitability
- —
- Remediation level
- —
- Report confidence
- —
- Temporal score
- —
- Attack vector
- LOCAL
- Attack complexity
- LOW
- Privileges required
- HIGH
- User interaction
- NONE
- Scope
- CHANGED
- Confidentiality impact
- HIGH
- Integrity impact
- NONE
- Availability impact
- NONE
- Exploit code maturity
- —
- Remediation level
- —
- Report confidence
- —
- Temporal score
- —
- Attack vector
- —
- Attack complexity
- —
- Attack requirements
- —
- Privileges required
- —
- User interaction
- —
- Confidentiality (V)
- —
- Confidentiality (S)
- —
- Integrity (V)
- —
- Integrity (S)
- —
- Availability (V)
- —
- Availability (S)
- —
- Exploit maturity
- —
Description
ConnectWise-Password-Encryption-Utility.exe in ConnectWise Risk Assessment allows an attacker to extract a hardcoded AES decryption key via reverse engineering. This key is embedded in plaintext within the binary and used in cryptographic operations without dynamic key management. Once obtained the key can be used to decrypt CSV input files used for authenticated network scanning.
NVD status
- Status
- Received — CVE has been recently published to the CVE List and has been received by the NVD.
- Source
- 7d616e1a-3288-43b1-a0dd-0a65d3e70a49
- NVD
- View on NVD
Affected products (CPE)
| Product | CPE |
|---|---|
| connectwise / risk assessment | cpe:2.3:a:connectwise:risk_assessment:*:*:*:*:*:*:*:* |
| connectwise / password encryption utility | cpe:2.3:a:connectwise:password_encryption_utility:*:*:*:*:*:*:*:* |