Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Vulnerability on the external sharing feature in Cryptobox allows an attacker knowing a sharing link URL to retrieve information from the server allowing an offline brute-force attack of the access code associated to this sharing link.
AnalysisAI
Cryptobox external sharing feature leaks information via sharing link URLs that enables offline brute-force attacks against access codes. Remote unauthenticated attackers with knowledge of a sharing link can retrieve sufficient data from the server to conduct offline enumeration of the associated access code, compromising the confidentiality of shared content. No public exploit code has been identified, but the low attack complexity and network accessibility make this a practical vulnerability.
Technical ContextAI
Cryptobox implements external file sharing functionality that uses URLs containing sharing links as access control mechanisms. The vulnerability stems from CWE-280 (Improper Handling of Insufficient Permissions or Privileges), where the sharing link endpoint returns information that leaks details about the access code structure or validation logic. This allows attackers to perform offline cryptographic attacks (brute-force, dictionary attacks) against the access code without rate-limiting or server-side validation constraints that would normally throttle repeated guesses. The attack is feasible because the server discloses sufficient entropy or implementation details in its response to a sharing link query.
RemediationAI
Contact Cryptobox vendor (ERCOM) via THA-PSIRT or official advisory channel at https://info.cryptobox.com/ to obtain the latest patched version. Until patching is possible, implement network-level access controls: restrict Cryptobox sharing endpoints to trusted IP ranges or require VPN access, and disable public external sharing if not operationally required. Additionally, configure Cryptobox to use cryptographically random, high-entropy access codes (minimum 128-bit entropy recommended) and enforce rate-limiting on access code validation attempts (e.g., max 5 attempts per sharing link per hour) to increase the cost of offline brute-force attacks. Monitor access logs for anomalous patterns of sharing link queries from single sources.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-28342
GHSA-p3ph-4r57-hh5x