Skip to main content

EZCast Pro II CVE-2025-13955

CRITICAL
Use of Insufficiently Random Values (CWE-330)
2025-12-10 vulnerability@ncsc.ch
9.3
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
9.3 CRITICAL
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:X/V:X/RE:L/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:X/V:X/RE:L/U:X
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
May 28, 2026 - 13:30 vuln.today

DescriptionCVE.org

Predictable default Wi-Fi Password in Access Point functionality in EZCast Pro II before version 1.17478.177 allows attackers in Wi-Fi range to gain access to the dongle by calculating the default password from observable device identifiers

AnalysisAI

Wireless network compromise of EZCast Pro II dongles before version 1.17478.177 occurs because the device's Access Point mode uses a predictable default Wi-Fi password derived from observable identifiers, allowing any attacker within radio range to compute the credential and join the dongle's network. CVSS 4.0 score 9.3 reflects adjacent-network attack vector with no authentication required, and no public exploit identified at time of analysis, though the algorithm is reportedly reversible from broadcast data.

Technical ContextAI

EZCast Pro II is a wireless display/screen-mirroring dongle that, like many consumer presentation devices, exposes its own Wi-Fi Access Point so client devices can connect and stream content. The root cause maps to CWE-330 (Use of Insufficiently Random Values): rather than generating a per-device random WPA passphrase, the firmware derives the default password deterministically from device identifiers (such as MAC address or serial fragments) that are broadcast in 802.11 beacon and probe frames. Because anyone in RF range can observe those identifiers passively, the supposedly secret pre-shared key reduces to a small or fully predictable keyspace, defeating the WPA/WPA2 confidentiality model the dongle relies on.

Affected ProductsAI

EZCast Pro II screen-mirroring dongles running firmware prior to version 1.17478.177 are affected; no CPE strings were provided in the input data and the NVD references do not enumerate hardware revisions, so coverage across specific SKUs of the Pro II line should be confirmed against the vendor release notes published at https://www.nimbletech.com.tw/index.php/release-note/. The coordinated disclosure case is tracked by the Swiss NCSC at https://www.ncsc.admin.ch/ncsc/en/home/infos-fuer/infos-it-spezialisten/themen/schwachstelle-melden/cvd-cases/cvd-case-1-test.html.

RemediationAI

Vendor-released patch: firmware version 1.17478.177 - upgrade all EZCast Pro II dongles to this release or later, consulting the Nimbletech release notes at https://www.nimbletech.com.tw/index.php/release-note/ and the NCSC coordinated disclosure entry at https://www.ncsc.admin.ch/ncsc/en/home/infos-fuer/infos-it-spezialisten/themen/schwachstelle-melden/cvd-cases/cvd-case-1-test.html for upgrade procedure. As compensating controls until firmware is applied, manually change the default Wi-Fi passphrase on each dongle to a long random value (eliminates the predictable-derivation path but requires per-device administration), disable the dongle's standalone Access Point mode and operate it only in client/infrastructure mode joined to a managed SSID (removes the attack surface but breaks ad-hoc casting), or physically locate dongles where RF leakage outside the trusted area is minimized (reduces but does not eliminate exposure in dense office buildings).

Share

CVE-2025-13955 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy