Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2025-65998

Good to know:

icon
icon

Date: November 24, 2025

Apache Syncope can be configured to store the user password values in the internal database with AES encryption, though this is not the default option. When AES is configured, the default key value, hard-coded in the source code, is always used. This allows a malicious attacker, once obtained access to the internal database content, to reconstruct the original cleartext password values. This is not affecting encrypted plain attributes, whose values are also stored using AES encryption. Users are recommended to upgrade to version 3.0.15 / 4.0.3, which fix this issue.

Severity Score

Related Resources (7)

https://github.com/apache/syncope/commit/9d706af25d2e60327b8b5b63186f9da51ed79a1d
https://nvd.nist.gov/vuln/detail/CVE-2025-65998
https://github.com/apache/syncope/commit/297498ebfc86e4996f5e3e4ef7b7f8b1cd82004b
https://github.com/apache/syncope
http://www.openwall.com/lists/oss-security/2025/11/24/1
https://lists.apache.org/thread/fjh0tb0d1xkbphc5ogdsc348ppz88cts
https://www.mend.io/vulnerability-database/CVE-2025-65998

Severity Score

Weakness Type (CWE)

Use of Hard-coded Cryptographic Key

CWE-321

Top Fix

icon

Upgrade Version

Upgrade to version org.apache.syncope.core:syncope-core-spring:4.0.3;org.apache.syncope.core:syncope-core-spring:3.0.15;org.apache.syncope:syncope-core:4.0.3;org.apache.syncope:syncope-core:3.0.15;https://github.com/apache/syncope.git - syncope-4.0.3;https://github.com/apache/syncope.git - syncope-3.0.15

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality (C): HIGH
Integrity (I): NONE
Availability (A): NONE

Do you need more information?

Contact Us