PAVO Pay CVE-2025-4130
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
Use of Hard-coded Credentials vulnerability in PAVO Inc. PAVO Pay allows Read Sensitive Constants Within an Executable.
This issue affects PAVO Pay: before 13.05.2025.
AnalysisAI
Sensitive constant disclosure in PAVO Inc.'s PAVO Pay (versions before 13.05.2025) allows remote attackers to extract hard-coded credentials embedded in the application binary, undermining authentication controls for the payment platform. The CVSS 7.5 score reflects high confidentiality impact with no required privileges or user interaction, though EPSS at 0.27% suggests limited mass exploitation interest and no public exploit identified at time of analysis. The disclosure originated from Turkey's national CERT (USOM), indicating a coordinated vendor advisory.
Technical ContextAI
PAVO Pay is a payment processing solution from Turkish vendor PAVO Inc. The root cause is CWE-798 (Use of Hard-coded Credentials), where authentication secrets - such as API keys, encryption keys, or service credentials - are embedded directly within the executable rather than retrieved from a secure secret store or configuration vault. An attacker who obtains the binary (via mobile app distribution, installer extraction, or filesystem access) can statically analyze it with tools like strings, IDA, Ghidra, or decompilers to recover these constants. The 'Authentication Bypass' tag suggests the embedded credentials can be reused against PAVO Pay backend services to impersonate trusted clients.
Affected ProductsAI
PAVO Pay by PAVO Inc., all versions released before 13.05.2025 (13 May 2025). No CPE strings were provided in the input data, so exact product variants (mobile SDK, POS firmware, backend integration library) are not enumerated. Vendor and national CERT advisories are published at https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0166 and https://www.usom.gov.tr/bildirim/tr-25-0166.
RemediationAI
Upgrade PAVO Pay to the version released on or after 13.05.2025 as referenced in the USOM advisory TR-25-0166 (https://www.usom.gov.tr/bildirim/tr-25-0166) - patch available per vendor advisory, with no granular semantic version identified in the provided data. Because hard-coded credentials remain valid until rotated, operators should also coordinate with PAVO to rotate any API keys, signing secrets, or service credentials that may have been embedded in vulnerable builds, even after upgrading. As a compensating control where immediate upgrade is not possible, restrict network egress from PAVO Pay clients to only the PAVO backend FQDNs and monitor for anomalous authentication patterns; binary obfuscation alone is not a reliable mitigation since static analysis can defeat it.
Same weakness CWE-798 – Use of Hard-coded Credentials
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today