Skip to main content

PAVO Pay CVE-2025-4130

HIGH
Use of Hard-coded Credentials (CWE-798)
2025-07-21 iletisim@usom.gov.tr
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 05, 2026 - 18:40 vuln.today

DescriptionCVE.org

Use of Hard-coded Credentials vulnerability in PAVO Inc. PAVO Pay allows Read Sensitive Constants Within an Executable.

This issue affects PAVO Pay: before 13.05.2025.

AnalysisAI

Sensitive constant disclosure in PAVO Inc.'s PAVO Pay (versions before 13.05.2025) allows remote attackers to extract hard-coded credentials embedded in the application binary, undermining authentication controls for the payment platform. The CVSS 7.5 score reflects high confidentiality impact with no required privileges or user interaction, though EPSS at 0.27% suggests limited mass exploitation interest and no public exploit identified at time of analysis. The disclosure originated from Turkey's national CERT (USOM), indicating a coordinated vendor advisory.

Technical ContextAI

PAVO Pay is a payment processing solution from Turkish vendor PAVO Inc. The root cause is CWE-798 (Use of Hard-coded Credentials), where authentication secrets - such as API keys, encryption keys, or service credentials - are embedded directly within the executable rather than retrieved from a secure secret store or configuration vault. An attacker who obtains the binary (via mobile app distribution, installer extraction, or filesystem access) can statically analyze it with tools like strings, IDA, Ghidra, or decompilers to recover these constants. The 'Authentication Bypass' tag suggests the embedded credentials can be reused against PAVO Pay backend services to impersonate trusted clients.

Affected ProductsAI

PAVO Pay by PAVO Inc., all versions released before 13.05.2025 (13 May 2025). No CPE strings were provided in the input data, so exact product variants (mobile SDK, POS firmware, backend integration library) are not enumerated. Vendor and national CERT advisories are published at https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0166 and https://www.usom.gov.tr/bildirim/tr-25-0166.

RemediationAI

Upgrade PAVO Pay to the version released on or after 13.05.2025 as referenced in the USOM advisory TR-25-0166 (https://www.usom.gov.tr/bildirim/tr-25-0166) - patch available per vendor advisory, with no granular semantic version identified in the provided data. Because hard-coded credentials remain valid until rotated, operators should also coordinate with PAVO to rotate any API keys, signing secrets, or service credentials that may have been embedded in vulnerable builds, even after upgrading. As a compensating control where immediate upgrade is not possible, restrict network egress from PAVO Pay clients to only the PAVO backend FQDNs and monitor for anomalous authentication patterns; binary obfuscation alone is not a reliable mitigation since static analysis can defeat it.

Share

CVE-2025-4130 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy