CWE-760
Use of a One-Way Hash with a Predictable Salt
The product uses a one-way cryptographic hash against an input that should not be reversible, such as a password, but the product uses a predictable salt as part of the input.
CVE-2018-5552 (GCVE-0-2018-5552)
Vulnerability from cvelistv5
Published
2018-03-19 15:00
Modified
2024-08-05 05:40
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-760 - Use of a One-Way Hash with a Predictable Salt ()
Summary
Versions of DocuTrac QuicDoc and Office Therapy that ship with DTISQLInstaller.exe version 1.6.4.0 and prior contains a hard-coded cryptographic salt, "S@l+&pepper".
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| DocuTrac | DTISQLInstaller.exe |
Version: unspecified < |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T05:40:50.601Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://blog.rapid7.com/2018/03/14/r7-2018-01-cve-2018-5551-cve-2018-5552-docutrac-office-therapy-installer-hard-coded-credentials-and-cryptographic-salt/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"platforms": [
"Windows"
],
"product": "DTISQLInstaller.exe",
"vendor": "DocuTrac",
"versions": [
{
"lessThanOrEqual": "1.6.4.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2018-03-19T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Versions of DocuTrac QuicDoc and Office Therapy that ship with DTISQLInstaller.exe version 1.6.4.0 and prior contains a hard-coded cryptographic salt, \"S@l+\u0026pepper\"."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 2.9,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-760",
"description": "Use of a One-Way Hash with a Predictable Salt (CWE-760)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-03-19T14:57:01.000Z",
"orgId": "9974b330-7714-4307-a722-5648477acda7",
"shortName": "rapid7"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://blog.rapid7.com/2018/03/14/r7-2018-01-cve-2018-5551-cve-2018-5552-docutrac-office-therapy-installer-hard-coded-credentials-and-cryptographic-salt/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "DocuTrac DTISQLInstaller.exe Hard-Coded Salt",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@rapid7.com",
"ID": "CVE-2018-5552",
"STATE": "PUBLIC",
"TITLE": "DocuTrac DTISQLInstaller.exe Hard-Coded Salt"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "DTISQLInstaller.exe",
"version": {
"version_data": [
{
"affected": "\u003c=",
"platform": "Windows",
"version_affected": "\u003c=",
"version_value": "1.6.4.0"
}
]
}
}
]
},
"vendor_name": "DocuTrac"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Versions of DocuTrac QuicDoc and Office Therapy that ship with DTISQLInstaller.exe version 1.6.4.0 and prior contains a hard-coded cryptographic salt, \"S@l+\u0026pepper\"."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 2.9,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Use of a One-Way Hash with a Predictable Salt (CWE-760)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://blog.rapid7.com/2018/03/14/r7-2018-01-cve-2018-5551-cve-2018-5552-docutrac-office-therapy-installer-hard-coded-credentials-and-cryptographic-salt/",
"refsource": "MISC",
"url": "https://blog.rapid7.com/2018/03/14/r7-2018-01-cve-2018-5551-cve-2018-5552-docutrac-office-therapy-installer-hard-coded-credentials-and-cryptographic-salt/"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "9974b330-7714-4307-a722-5648477acda7",
"assignerShortName": "rapid7",
"cveId": "CVE-2018-5552",
"datePublished": "2018-03-19T15:00:00.000Z",
"dateReserved": "2018-01-12T00:00:00.000Z",
"dateUpdated": "2024-08-05T05:40:50.601Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-28214 (GCVE-0-2020-28214)
Vulnerability from cvelistv5
Published
2020-12-11 00:51
Modified
2024-08-04 16:33
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-760 - Use of a One-Way Hash with a Predictable Salt
Summary
A CWE-760: Use of a One-Way Hash with a Predictable Salt vulnerability exists in Modicon M221 (all references, all versions), that could allow an attacker to pre-compute the hash value using dictionary attack technique such as rainbow tables, effectively disabling the protection that an unpredictable salt would provide.
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | Modicon M221 (all references, all versions) |
Version: Modicon M221 (all references, all versions) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T16:33:58.330Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.se.com/ww/en/download/document/SEVD-2020-315-05/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-343-04"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Modicon M221 (all references, all versions)",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Modicon M221 (all references, all versions)"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A CWE-760: Use of a One-Way Hash with a Predictable Salt vulnerability exists in Modicon M221 (all references, all versions), that could allow an attacker to pre-compute the hash value using dictionary attack technique such as rainbow tables, effectively disabling the protection that an unpredictable salt would provide."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-760",
"description": "CWE-760: Use of a One-Way Hash with a Predictable Salt",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-12-11T20:30:49.000Z",
"orgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb",
"shortName": "schneider"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.se.com/ww/en/download/document/SEVD-2020-315-05/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-343-04"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cybersecurity@schneider-electric.com",
"ID": "CVE-2020-28214",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Modicon M221 (all references, all versions)",
"version": {
"version_data": [
{
"version_value": "Modicon M221 (all references, all versions)"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A CWE-760: Use of a One-Way Hash with a Predictable Salt vulnerability exists in Modicon M221 (all references, all versions), that could allow an attacker to pre-compute the hash value using dictionary attack technique such as rainbow tables, effectively disabling the protection that an unpredictable salt would provide."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-760: Use of a One-Way Hash with a Predictable Salt"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.se.com/ww/en/download/document/SEVD-2020-315-05/",
"refsource": "CONFIRM",
"url": "https://www.se.com/ww/en/download/document/SEVD-2020-315-05/"
},
{
"name": "https://us-cert.cisa.gov/ics/advisories/icsa-20-343-04",
"refsource": "MISC",
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-343-04"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb",
"assignerShortName": "schneider",
"cveId": "CVE-2020-28214",
"datePublished": "2020-12-11T00:51:01.000Z",
"dateReserved": "2020-11-05T00:00:00.000Z",
"dateUpdated": "2024-08-04T16:33:58.330Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-38314 (GCVE-0-2021-38314)
Vulnerability from cvelistv5
Published
2021-09-02 16:53
Modified
2025-05-05 14:49
Severity ?
VLAI Severity ?
EPSS score ?
Summary
The Gutenberg Template Library & Redux Framework plugin <= 4.2.11 for WordPress registered several AJAX actions available to unauthenticated users in the `includes` function in `redux-core/class-redux-core.php` that were unique to a given site but deterministic and predictable given that they were based on an md5 hash of the site URL with a known salt value of '-redux' and an md5 hash of the previous hash with a known salt value of '-support'. These AJAX actions could be used to retrieve a list of active plugins and their versions, the site's PHP version, and an unsalted md5 hash of site’s `AUTH_KEY` concatenated with the `SECURE_AUTH_KEY`.
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Redux.io | Gutenberg Template Library & Redux Framework |
Version: 4.2.11 < |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T01:37:16.480Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.wordfence.com/blog/2021/09/over-1-million-sites-affected-by-redux-framework-vulnerabilities/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-38314",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-05T14:49:45.607205Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-05T14:49:49.173Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Gutenberg Template Library \u0026 Redux Framework",
"vendor": "Redux.io",
"versions": [
{
"lessThanOrEqual": "4.2.11",
"status": "affected",
"version": "4.2.11",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Ramuel Gall, Wordfence"
}
],
"datePublic": "2021-09-01T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "The Gutenberg Template Library \u0026 Redux Framework plugin \u003c= 4.2.11 for WordPress registered several AJAX actions available to unauthenticated users in the `includes` function in `redux-core/class-redux-core.php` that were unique to a given site but deterministic and predictable given that they were based on an md5 hash of the site URL with a known salt value of \u0027-redux\u0027 and an md5 hash of the previous hash with a known salt value of \u0027-support\u0027. These AJAX actions could be used to retrieve a list of active plugins and their versions, the site\u0027s PHP version, and an unsalted md5 hash of site\u2019s `AUTH_KEY` concatenated with the `SECURE_AUTH_KEY`."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Information Exposure",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-760",
"description": "CWE-760 Use of a One-Way Hash with a Predictable Salt",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-09-02T16:53:54.000Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.wordfence.com/blog/2021/09/over-1-million-sites-affected-by-redux-framework-vulnerabilities/"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Gutenberg Template Library \u0026 Redux Framework \u003c= 4.2.11 Sensitive Information Disclosure",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@wordfence.com",
"DATE_PUBLIC": "2021-09-01T00:00:00.000Z",
"ID": "CVE-2021-38314",
"STATE": "PUBLIC",
"TITLE": "Gutenberg Template Library \u0026 Redux Framework \u003c= 4.2.11 Sensitive Information Disclosure"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Gutenberg Template Library \u0026 Redux Framework",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "4.2.11",
"version_value": "4.2.11"
}
]
}
}
]
},
"vendor_name": "Redux.io"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Ramuel Gall, Wordfence"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Gutenberg Template Library \u0026 Redux Framework plugin \u003c= 4.2.11 for WordPress registered several AJAX actions available to unauthenticated users in the `includes` function in `redux-core/class-redux-core.php` that were unique to a given site but deterministic and predictable given that they were based on an md5 hash of the site URL with a known salt value of \u0027-redux\u0027 and an md5 hash of the previous hash with a known salt value of \u0027-support\u0027. These AJAX actions could be used to retrieve a list of active plugins and their versions, the site\u0027s PHP version, and an unsalted md5 hash of site\u2019s `AUTH_KEY` concatenated with the `SECURE_AUTH_KEY`."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-200 Information Exposure"
}
]
},
{
"description": [
{
"lang": "eng",
"value": "CWE-760 Use of a One-Way Hash with a Predictable Salt"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.wordfence.com/blog/2021/09/over-1-million-sites-affected-by-redux-framework-vulnerabilities/",
"refsource": "MISC",
"url": "https://www.wordfence.com/blog/2021/09/over-1-million-sites-affected-by-redux-framework-vulnerabilities/"
}
]
},
"source": {
"discovery": "INTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2021-38314",
"datePublished": "2021-09-02T16:53:54.200Z",
"dateReserved": "2021-08-09T00:00:00.000Z",
"dateUpdated": "2025-05-05T14:49:49.173Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-22599 (GCVE-0-2023-22599)
Vulnerability from cvelistv5
Published
2023-01-12 22:31
Modified
2025-01-16 22:02
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-760 - Use of a One-way Hash with a Predictable Salt
Summary
InHand Networks InRouter 302, prior to version IR302 V3.5.56, and InRouter 615, prior to version InRouter6XX-S-V2.3.0.r5542, contain vulnerability CWE-760: Use of a One-way Hash with a Predictable Salt. They
send MQTT credentials in response to HTTP/HTTPS requests from the cloud platform. These credentials are encoded using a hardcoded string into an MD5 hash. This string could be easily calculated by an unauthorized user who spoofed sending an HTTP/HTTPS request to the devices. This could result in the affected devices being temporarily disconnected from the cloud platform and allow the user to receive MQTT commands with potentially sensitive information.
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| InHand Networks | InRouter 302 |
Version: 0 < IR302 V3.5.56 |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T10:13:49.410Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"government-resource",
"x_transferred"
],
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-23-012-03"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-22599",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-16T20:22:33.707859Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-16T22:02:28.222Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "InRouter 302",
"vendor": "InHand Networks",
"versions": [
{
"lessThan": "IR302 V3.5.56",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "InRouter 615",
"vendor": "InHand Networks",
"versions": [
{
"lessThan": "InRouter6XX-S-V2.3.0.r5542",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Roni Gavrilov"
},
{
"lang": "en",
"type": "reporter",
"user": "00000000-0000-4000-9000-000000000000",
"value": "OTORIO"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eInHand Networks InRouter 302, prior to version IR302 V3.5.56, and InRouter 615, prior to version InRouter6XX-S-V2.3.0.r5542, contain vulnerability CWE-760: Use of a One-way Hash with a Predictable Salt. They\u0026nbsp;\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003esend MQTT credentials in response to HTTP/HTTPS requests from the cloud platform. These credentials are encoded using a hardcoded string into an MD5 hash. This string could be easily calculated by an unauthorized user who spoofed sending an HTTP/HTTPS request to the devices. This could result in the affected devices being temporarily disconnected from the cloud platform and allow the user to receive MQTT commands with potentially sensitive information. \u003c/span\u003e\n\n \u003c/span\u003e\n\n \n\n \u003c/span\u003e\n\n"
}
],
"value": "\nInHand Networks InRouter 302, prior to version IR302 V3.5.56, and InRouter 615, prior to version InRouter6XX-S-V2.3.0.r5542, contain vulnerability CWE-760: Use of a One-way Hash with a Predictable Salt. They\u00a0\n\nsend MQTT credentials in response to HTTP/HTTPS requests from the cloud platform. These credentials are encoded using a hardcoded string into an MD5 hash. This string could be easily calculated by an unauthorized user who spoofed sending an HTTP/HTTPS request to the devices. This could result in the affected devices being temporarily disconnected from the cloud platform and allow the user to receive MQTT commands with potentially sensitive information. \n\n \n\n \n\n \n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-760",
"description": "CWE-760 Use of a One-way Hash with a Predictable Salt",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-01-12T22:31:55.394Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"tags": [
"government-resource"
],
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-23-012-03"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2023-22599",
"datePublished": "2023-01-12T22:31:55.394Z",
"dateReserved": "2023-01-03T19:55:20.124Z",
"dateUpdated": "2025-01-16T22:02:28.222Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-13951 (GCVE-0-2024-13951)
Vulnerability from cvelistv5
Published
2025-05-22 18:22
Modified
2025-05-22 18:41
Severity ?
6.1 (Medium) - CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:L/VA:L/SC:N/SI:L/SA:L
7.6 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L
7.6 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L
VLAI Severity ?
EPSS score ?
CWE
- CWE-760 - Use of a One-Way Hash with a Predictable Salt
Summary
One way hash with predictable salt vulnerabilities in ASPECT may expose sensitive information to a potential attackerThis issue affects ASPECT-Enterprise: through 3.*; NEXUS Series: through 3.*; MATRIX Series: through 3.*.
References
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ABB | ASPECT-Enterprise |
Version: 0 < |
||||||||||||
|
||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-13951",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-22T18:37:52.976910Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-22T18:41:09.174Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"platforms": [
"Linux"
],
"product": "ASPECT-Enterprise",
"vendor": "ABB",
"versions": [
{
"lessThanOrEqual": "3.*",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"platforms": [
"Linux"
],
"product": "NEXUS Series",
"vendor": "ABB",
"versions": [
{
"lessThanOrEqual": "3.*",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"platforms": [
"Linux"
],
"product": "MATRIX Series",
"vendor": "ABB",
"versions": [
{
"lessThanOrEqual": "3.*",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "ABB likes to thank Gjoko Krstikj, Zero Science Lab, for reporting the vulnerabilities in responsible disclosure"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "One way hash with predictable salt vulnerabilities in ASPECT may expose sensitive information to a potential attacker\u003cp\u003eThis issue affects ASPECT-Enterprise: through 3.*; NEXUS Series: through 3.*; MATRIX Series: through 3.*.\u003c/p\u003e"
}
],
"value": "One way hash with predictable salt vulnerabilities in ASPECT may expose sensitive information to a potential attackerThis issue affects ASPECT-Enterprise: through 3.*; NEXUS Series: through 3.*; MATRIX Series: through 3.*."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:L/VA:L/SC:N/SI:L/SA:L",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-760",
"description": "CWE-760 Use of a One-Way Hash with a Predictable Salt",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-22T18:22:27.226Z",
"orgId": "2b718523-d88f-4f37-9bbd-300c20644bf9",
"shortName": "ABB"
},
"references": [
{
"url": "https://search.abb.com/library/Download.aspx?DocumentID=9AKK108471A0021\u0026LanguageCode=en\u0026DocumentPartId=pdf\u0026Action=Launch"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "One way hash with predictable salt",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2b718523-d88f-4f37-9bbd-300c20644bf9",
"assignerShortName": "ABB",
"cveId": "CVE-2024-13951",
"datePublished": "2025-05-22T18:22:27.226Z",
"dateReserved": "2025-05-08T12:07:20.849Z",
"dateUpdated": "2025-05-22T18:41:09.174Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-26486 (GCVE-0-2025-26486)
Vulnerability from cvelistv5
Published
2025-03-19 15:46
Modified
2025-07-02 14:34
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
Broken or Risky Cryptographic Algorithm, Use of Password Hash
With Insufficient Computational Effort, Use of Weak Hash, Use of a
One-Way Hash with a Predictable Salt vulnerabilities in Beta80 "Life 1st Identity Manager"
enable an attacker with access to
password hashes
to bruteforce user passwords or find a collision to ultimately while attempting to gain access to a target application that uses "Life 1st Identity Manager" as a service for authentication.
This issue affects Life 1st: 1.5.2.14234.
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-26486",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-19T18:28:07.501414Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-19T18:28:28.268Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Life 1st",
"vendor": "Beta80",
"versions": [
{
"status": "affected",
"version": "1.5.2.14234"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Broken or Risky Cryptographic Algorithm, Use of Password Hash \nWith Insufficient Computational Effort, Use of Weak Hash, Use of a \nOne-Way Hash with a Predictable Salt vulnerabilities in Beta80 \"Life 1st Identity Manager\"\nenable an attacker with access to\npassword hashes\nto bruteforce user passwords or find a collision to ultimately while attempting to gain access to a target application that uses \"Life 1st Identity Manager\" as a service for authentication.\u003cbr\u003e\u003cp\u003eThis issue affects Life 1st: 1.5.2.14234.\u003c/p\u003e"
}
],
"value": "Broken or Risky Cryptographic Algorithm, Use of Password Hash \nWith Insufficient Computational Effort, Use of Weak Hash, Use of a \nOne-Way Hash with a Predictable Salt vulnerabilities in Beta80 \"Life 1st Identity Manager\"\nenable an attacker with access to\npassword hashes\nto bruteforce user passwords or find a collision to ultimately while attempting to gain access to a target application that uses \"Life 1st Identity Manager\" as a service for authentication.\nThis issue affects Life 1st: 1.5.2.14234."
}
],
"impacts": [
{
"capecId": "CAPEC-49",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-49 Password Brute Forcing"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-327",
"description": "CWE-327 Use of a Broken or Risky Cryptographic Algorithm",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-916",
"description": "CWE-916 Use of Password Hash With Insufficient Computational Effort",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-328",
"description": "CWE-328 Use of Weak Hash",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-760",
"description": "CWE-760 Use of a One-Way Hash with a Predictable Salt",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-02T14:34:15.470Z",
"orgId": "a6d3dc9e-0591-4a13-bce7-0f5b31ff6158",
"shortName": "ENISA"
},
"references": [
{
"tags": [
"government-resource"
],
"url": "https://www.cvcn.gov.it/cvcn/cve/CVE-2025-26486"
},
{
"tags": [
"vdb-entry"
],
"url": "https://euvd.enisa.europa.eu/vulnerability/CVE-2025-26486"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "a6d3dc9e-0591-4a13-bce7-0f5b31ff6158",
"assignerShortName": "ENISA",
"cveId": "CVE-2025-26486",
"datePublished": "2025-03-19T15:46:34.309Z",
"dateReserved": "2025-02-11T08:24:51.661Z",
"dateUpdated": "2025-07-02T14:34:15.470Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-9290 (GCVE-0-2025-9290)
Vulnerability from cvelistv5
Published
2026-01-22 23:14
Modified
2026-01-23 20:04
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-760 - Use of a One-Way Hash with a Predictable Salt
Summary
An authentication weakness was identified in Omada Controllers, Gateways and Access Points, controller-device adoption due to improper handling of random values. Exploitation requires advanced network positioning and allows an attacker to intercept adoption traffic and forge valid authentication through offline precomputation, potentially exposing sensitive information and compromising confidentiality.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-9290",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-23T20:04:16.930287Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-23T20:04:29.976Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows",
"Linux"
],
"product": "Omada Software Controller",
"vendor": "TP-Link Systems Inc.",
"versions": [
{
"lessThan": "6.0.0.24",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Omada Cloud Controller",
"vendor": "TP-Link Systems Inc.",
"versions": [
{
"lessThan": "6.0.0.100",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Omada Hardware Controller (OC200, OC300, OC400)",
"vendor": "TP-Link Systems Inc.",
"versions": [
{
"lessThan": "6.0.0.34",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Omada Hardware Controller OC220",
"vendor": "TP-Link Systems Inc.",
"versions": [
{
"lessThan": "5.15.24",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Omada Gateway (ER605 v2.0)",
"vendor": "TP-Link Systems Inc.",
"versions": [
{
"lessThan": "2.3.2 Build 20251029 Rel.12727",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Omada Gateway (ER7206 v2.0)",
"vendor": "TP-Link Systems Inc.",
"versions": [
{
"lessThan": "2.2.2 Build 20250724 Rel.11109",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Omada Gateway (ER7406, ER706W, ER706-4G)",
"vendor": "TP-Link Systems Inc.",
"versions": [
{
"lessThan": "1.2.x",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Omada Gateway (ER707-M2, ER-8411)",
"vendor": "TP-Link Systems Inc.",
"versions": [
{
"lessThan": "1.3.x",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Omada Gateway (ER7412-M2, ER706WP-4G, ER703WP-4G-Outdoor, DR3220v-4G, DR3650v, DR3650v-4G)",
"vendor": "TP-Link Systems Inc.",
"versions": [
{
"lessThan": "1.1.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Omada Gateway (ER8411)",
"vendor": "TP-Link Systems Inc.",
"versions": [
{
"lessThan": "1.3.5 Build 20251028 Rel.06811",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Omada Gateway (ER706W-4G 2.0)",
"vendor": "TP-Link Systems Inc.",
"versions": [
{
"lessThan": "2.1.0 Build 20250810 Rel.77020",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Omada Gateway (ER701-5G-Outdoor)",
"vendor": "TP-Link Systems Inc.",
"versions": [
{
"lessThan": "1.0.0 Build 20250826 Rel.68862",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Omada Gateway (ER605W 2.0)",
"vendor": "TP-Link Systems Inc.",
"versions": [
{
"lessThan": "2.0.2 Build 20250723 Rel.39048",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Omada Gateway ER7212PC 2.0",
"vendor": "TP-Link Systems Inc.",
"versions": [
{
"lessThan": "2.2.1 Build 20251027 Rel.75129",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Omada Festa Gateway FR365",
"vendor": "TP-Link Systems Inc.",
"versions": [
{
"lessThan": "1.1.10 Build 20250626 Rel.81746",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Omada Gateway G36W-4G",
"vendor": "TP-Link Systems Inc.",
"versions": [
{
"lessThan": "1.1.5 Build 20250710 Rel.62142",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Omada Access Point (EAP660 HD v1.0/v2.0, EAP620 HD v2.0/v3.0/v3.20, EAP610/EAP610-Outdoor v1.0/v2.0, EAP623-Outdoor HD v1.0, EAP625-Outdoor HD v1.0)EAP",
"vendor": "TP-Link Systems Inc.",
"versions": [
{
"lessThan": "1.6.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Omada Access Point (EAP655-Wall v1.0)",
"vendor": "TP-Link Systems Inc.",
"versions": [
{
"lessThan": "1.6.2 Build 20251107 Rel.35700",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Omada Access Point (EAP772 v1.0, EAP773 v1.0, EAP783 v1.0, EAP787 v1.0, EAP720 v1.0, EAP725-Wall v1.0, EAp723 v2.0)",
"vendor": "TP-Link Systems Inc.",
"versions": [
{
"lessThan": "1.1.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Omada Access Point (EAP723 v1.0, EAP772 v2.0, EAP772-Outdoor v 1.0, EAP770 v2.0)",
"vendor": "TP-Link Systems Inc.",
"versions": [
{
"lessThan": "1.3.2 Build 20250901 Rel.52255",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Omada Access Point (EAP215 Bridge KIT 3.0, EAP211 Bridge KIT 3.0)",
"vendor": "TP-Link Systems Inc.",
"versions": [
{
"lessThan": "1.1.4 Build 20251112 Rel.34769",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Omada Beam Bridge 5 UR v1.0",
"vendor": "TP-Link Systems Inc.",
"versions": [
{
"lessThan": "1.1.5 Build 20250928 Rel.68499",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Omada Access Point (EAP603GP-Desktop, EAP615GP-Wall 1.0/1.20, EAP625GP-Wall 1.0/1.20, EAP610GP-Desktop 1.0/1.20/1.26), EAP650-Desktop v1.0)",
"vendor": "TP-Link Systems Inc.",
"versions": [
{
"lessThan": "1.1.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Omada Access Point (EAP650GP-Desktop 1.0)",
"vendor": "TP-Link Systems Inc.",
"versions": [
{
"lessThan": "1.0.1 Build 20250819 Rel.60298",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Omada Access Point (EAP653 v1.0, EAP650-Outdoor v1.0)",
"vendor": "TP-Link Systems Inc.",
"versions": [
{
"lessThan": "1.3.3 Build 20251111 Rel.72627",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Omada Access Point (EAP230-Wall v1.0, EAP235-Wall v1.0)",
"vendor": "TP-Link Systems Inc.",
"versions": [
{
"lessThan": "3.3.1 Build 20251203 Rel.58135",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Omada Access Point (EAP603-Outdoor v1.0, EAP615-Wall v1.0/v1.20)",
"vendor": "TP-Link Systems Inc.",
"versions": [
{
"lessThan": "1.5.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Omada Access Point (EAP653 UR v1.0)",
"vendor": "TP-Link Systems Inc.",
"versions": [
{
"lessThan": "1.4.2 Build 20251208 Rel.43830",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Omada Access Point (EAP615-Wall v1.0/v1.20)",
"vendor": "TP-Link Systems Inc.",
"versions": [
{
"lessThan": "1.5.10 Build 20250903 Rel.49784",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Omada EAP100-Bridge KIT v1.0",
"vendor": "TP-Link Systems Inc.",
"versions": [
{
"lessThan": "1.0.3 Build 20251015 Rel.62058",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Stanislav Dashevskyi and Francesco La Spina of Forescout Technologies"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An authentication weakness was identified in Omada Controllers, Gateways and Access Points, controller-device adoption due to improper handling of random values. Exploitation requires advanced network positioning and allows an attacker to intercept adoption traffic and forge valid authentication through offline precomputation, potentially exposing sensitive information and compromising confidentiality."
}
],
"value": "An authentication weakness was identified in Omada Controllers, Gateways and Access Points, controller-device adoption due to improper handling of random values. Exploitation requires advanced network positioning and allows an attacker to intercept adoption traffic and forge valid authentication through offline precomputation, potentially exposing sensitive information and compromising confidentiality."
}
],
"impacts": [
{
"capecId": "CAPEC-112",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-112 Brute Force"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "NONE",
"attackVector": "ADJACENT",
"baseScore": 6,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:A/AC:H/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-760",
"description": "CWE-760 Use of a One-Way Hash with a Predictable Salt",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-22T23:14:45.823Z",
"orgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
"shortName": "TPLink"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://support.omadanetworks.com/us/download/"
},
{
"tags": [
"patch"
],
"url": "https://support.omadanetworks.com/en/download/"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://support.omadanetworks.com/us/document/114950/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Authentication Weakness on Omada Controllers, Gateways and Access Points",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
"assignerShortName": "TPLink",
"cveId": "CVE-2025-9290",
"datePublished": "2026-01-22T23:14:45.823Z",
"dateReserved": "2025-08-20T22:24:20.340Z",
"dateUpdated": "2026-01-23T20:04:29.976Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Mitigation ID: MIT-51
Phase: Architecture and Design
Description:
- Use an adaptive hash function that can be configured to change the amount of computational effort needed to compute the hash, such as the number of iterations ("stretching") or the amount of memory required. Some hash functions perform salting automatically. These functions can significantly increase the overhead for a brute force attack compared to intentionally-fast functions such as MD5. For example, rainbow table attacks can become infeasible due to the high computing overhead. Finally, since computing power gets faster and cheaper over time, the technique can be reconfigured to increase the workload without forcing an entire replacement of the algorithm in use.
- Some hash functions that have one or more of these desired properties include bcrypt [REF-291], scrypt [REF-292], and PBKDF2 [REF-293]. While there is active debate about which of these is the most effective, they are all stronger than using salts with hash functions with very little computing overhead.
- Note that using these functions can have an impact on performance, so they require special consideration to avoid denial-of-service attacks. However, their configurability provides finer control over how much CPU and memory is used, so it could be adjusted to suit the environment's needs.
Mitigation
Phase: Implementation
Description:
- If a technique that requires extra computational effort can not be implemented, then for each password that is processed, generate a new random salt using a strong random number generator with unpredictable seeds. Add the salt to the plaintext password before hashing it. When storing the hash, also store the salt. Do not use the same salt for every password.
No CAPEC attack patterns related to this CWE.