CVE-2025-0714

Feb. 19, 2025, 9:15 a.m.

6.5
Medium

Description

The vulnerability exists in the password storage of Mobateks MobaXterm in versions below 25.0. MobaXTerm uses an initialisation vector (IV) consisting only of zero bytes and a master key to encrypt each password individually. In the default configuration, on opening MobaXTerm, the user is prompted for their password. A derivative of the password is used as the master key. As both the master key and the IV are the same for each stored password, the AES CFB ciphertext depends only on the plaintext (the password). The static IV and master key make it easier to obtain sensitive information and to decrypt data when it is stored at rest.

Product(s) Impacted

Product Versions
Mobateks MobaXterm
  • below 25.0

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-1204
Generation of Weak Initialization Vector (IV)
The product uses a cryptographic primitive that uses an Initialization Vector (IV), but the product does not generate IVs that are sufficiently unpredictable or unique according to the expected cryptographic requirements for that primitive.

References

https://www.cirosec.de/sa/sa-2024-012

Tags

a341c0d1-ebf7-493f-a84e-38cf86618674
CWE-1204
2025-02-17
CVE-2025-0714

CVSS Score

6.5 / 10

CVSS Data - 3.1

  • Attack Vector: LOCAL
  • Attack Complexity: LOW
  • Privileges Required: LOW
  • Scope: CHANGED
  • Confidentiality Impact: HIGH
  • Integrity Impact: NONE
  • Availability Impact: NONE

    • CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

    View Vector String

Timeline

Published: Feb. 17, 2025, 12:15 p.m.
Last Modified: Feb. 19, 2025, 9:15 a.m.

Status : Awaiting Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

a341c0d1-ebf7-493f-a84e-38cf86618674

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.