Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2025-47276

Good to know:

icon

Date: May 13, 2025

Actualizer is a single shell script solution to allow developers and embedded engineers to create Debian operating systems (OS). Prior to version 1.2.0, Actualizer uses OpenSSL's "-passwd" function, which uses SHA512 instead of a more suitable password hasher like Yescript/Argon2i. All Actualizer users building a full Debian Operating System are affected. Users should upgrade to version 1.2.0 of Actualizer. Existing OS deployment requires manual password changes against the alpha and root accounts. The change will deploy's Debian's yescript overriding the older SHA512 hash created by OpenSSL. As a workaround, users need to reset both "root" and "Alpha" users' passwords.

Severity Score

Related Resources (9)

https://github.com/ChewKeanHo/Actualizer/issues/1
https://github.com/ChewKeanHo/Actualizer/security/advisories/GHSA-v626-chv9-v9qr
https://github.com/ChewKeanHo/Actualizer/commit/32c9cc232c856f078f8269fba80ce7562bbff86b
https://github.com/openssl/openssl/issues/19340
https://github.com/ChewKeanHo/Actualizer/releases/tag/v1.2.0
https://www.reddit.com/r/debian/comments/1kknzqi/actualizer_v110_upgraded
https://nvd.nist.gov/vuln/detail/CVE-2025-47276
https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html
https://www.mend.io/vulnerability-database/CVE-2025-47276

Severity Score

Weakness Type (CWE)

Use of Weak Hash

CWE-328

Top Fix

icon

Upgrade Version

Upgrade to version https://github.com/ChewKeanHo/Actualizer.git - v1.2.0

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality (C): NONE
Integrity (I): HIGH
Availability (A): NONE

Do you need more information?

Contact Us