← Back

CVE-2025-4876

nvd nist
Published: May 19, 2025Modified: Oct 2, 2025

JSON object

Loading...
4.4
Vector
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Exploitability: 0.8 / Impact: 3.6
Source: NVD

Description

ConnectWise-Password-Encryption-Utility.exe in ConnectWise Risk Assessment allows an attacker to extract a hardcoded AES decryption key via reverse engineering. This key is embedded in plaintext within the binary and used in cryptographic operations without dynamic key management. Once obtained the key can be used to decrypt CSV input files used for authenticated network scanning.

Affected (1)

Connectwise
1 product
Risk Assessment
Configuration A
1 vulnerable
Vulnerable SoftwareAffected Versions
Risk Assessment
Before 2023-07-01

Related CWEs

CWE-321
Use of Hard-coded Cryptographic Key
The use of a hard-coded cryptographic key significantly increases the possibility that encrypted data may be recovered.

References (1)

Source: 7d616e1a-3288-43b1-a0dd-0a65d3e70a49
Third Party Advisory

Timeline

No history available yet.