Monthly
Broken or risky cryptographic algorithm use in Dell PowerFlex Manager's SSH component (versions ≤4.6.2) allows a locally authenticated low-privileged attacker to bypass SSH protection mechanisms, affecting both Appliance and Rack form factors. The CVSS vector (AV:L/AC:H/PR:L) reflects significant exploitation barriers: physical or logical local access is required, attack complexity is high, and impact is limited to partial confidentiality and integrity loss with no availability impact. Dell has published dual advisories (DSA-2025-434 for Appliance, DSA-2025-435 for Rack); no public exploit or CISA KEV listing exists at time of analysis.
Weak cryptography in the dhcast128 user authentication module (UAM) of Netatalk versions 1.5.0 through 4.2.2 allows remote attackers to compromise confidentiality and integrity of AFP authentication exchanges. The flaw was reported by Securin and tagged as an information disclosure issue; no public exploit identified at time of analysis. The CVSS 7.4 score with High attack complexity reflects that exploitation requires conditions beyond a simple network request, yet the impact on credential material and session integrity is significant.
Weak cryptographic algorithm usage in Sulu CMS exposes password reset tokens and API keys to prediction or brute-force attacks, potentially enabling unauthorized account takeover or API access. The flaw resides in the SecurityBundle's User.php and ResettingController.php, affecting all Sulu 2.x releases up to 2.6.22 and all 3.x releases from the first alpha through 3.0.5. No public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV, but the cryptographic weakness (CWE-327) is structurally exploitable by a motivated attacker with network access to the application.
Algorithm confusion in LibJWT 3.0.0 through 3.3.2 allows authentication bypass when RSA JWKs lack the 'alg' parameter. The OpenSSL backend incorrectly processes HMAC verification with a zero-length key when an RSA key without 'alg' is used to verify HS256/HS384/HS512 tokens, enabling attackers to forge valid JWTs without knowing any secret. Public exploit code exists (SSVC), making this a critical authentication bypass affecting applications using JWKS-based key lookup.
Weak credential generation in Ingeteam's Ingecon Sun EMS Board Technical Support access mechanism allows remote privilege escalation via cryptographic weakness. The SAT (Technical Support) access feature generates credentials using a weak hashing algorithm instead of cryptographically secure methods, enabling attackers to predict or derive privileged access credentials. CVSS 9.2 reflects network-accessible attack with high complexity but no authentication required. INCIBE coordinated disclosure confirms vendor patch availability, and a practical analysis of the vulnerability has been published by ReverseMode, indicating detailed technical understanding exists in the research community.
Remote attackers can decrypt tenant email addresses and metadata, and trigger denial-of-service conditions in MAXHUB Pivot client versions prior to v1.36.2 via hardcoded AES encryption keys. The vulnerability (CWE-327: Broken/Risky Cryptographic Algorithm) enables complete bypass of data confidentiality controls without authentication due to embedded cryptographic secrets in the application binary. CISA ICS-CERT disclosure indicates this affects operational technology environments where MAXHUB collaboration devices are deployed. No active exploitation confirmed in CISA KEV at time of analysis, though the attack vector is trivially exploitable (AV:N/AC:L/PR:N/UI:N) once the hardcoded key is extracted via reverse engineering.
Paramiko through version 4.0.0 before commit a448945 accepts SHA-1-based RSA signatures (ssh-rsa algorithm) in host key verification and authentication contexts, violating modern cryptographic standards and enabling signature forgery attacks. The vulnerability affects SSH clients and servers using Paramiko for key exchange and authentication, allowing remote attackers on the same network segment to potentially forge host keys or perform man-in-the-middle attacks by exploiting the deprecated SHA-1 hash algorithm. No public exploit code has been identified at time of analysis, though the issue is cryptographically fundamental and OSTIF security audit documentation exists.
Weak cryptographic hash usage in code-projects Chat System 1.0 allows remote attackers to compromise password security through the MD5 Hash Handler in update_user.php. The vulnerability stems from use of MD5 for password hashing, a cryptographically broken algorithm that enables rapid offline cracking of password hashes. Publicly disclosed exploit code exists, though exploitation requires high attack complexity. The vulnerability impacts password confidentiality with low direct severity but creates substantial downstream risks for user account compromise.
IBM Security Verify Access and Verify Identity Access products versions 10.0 through 10.0.9.1 and 11.0 through 11.0.2 use cryptographic algorithms weaker than expected, allowing authenticated network attackers to decrypt highly sensitive information. The vulnerability affects both containerized and non-containerized deployments across multiple major versions. CVSS 6.5 reflects high confidentiality impact with low attack complexity, though authenticated access is required.
Weak cryptographic implementation in Silex Technology SD-330AC wireless LAN adapters (v1.42 and earlier) and AMC Manager software (v5.0.2 and earlier) allows network-positioned attackers to intercept and decrypt network traffic through man-in-the-middle attacks. The vulnerability stems from use of broken or risky cryptographic algorithms (CWE-327), enabling confidentiality breach of transmitted data. EPSS score of 0.02% (4th percentile) indicates low observed exploitation probability, and CISA SSVC framework classifies this as non-exploited with non-automatable attacks requiring attacker positioning. No public exploit code or active exploitation reported at time of analysis.
Broken or risky cryptographic algorithm use in Dell PowerFlex Manager's SSH component (versions ≤4.6.2) allows a locally authenticated low-privileged attacker to bypass SSH protection mechanisms, affecting both Appliance and Rack form factors. The CVSS vector (AV:L/AC:H/PR:L) reflects significant exploitation barriers: physical or logical local access is required, attack complexity is high, and impact is limited to partial confidentiality and integrity loss with no availability impact. Dell has published dual advisories (DSA-2025-434 for Appliance, DSA-2025-435 for Rack); no public exploit or CISA KEV listing exists at time of analysis.
Weak cryptography in the dhcast128 user authentication module (UAM) of Netatalk versions 1.5.0 through 4.2.2 allows remote attackers to compromise confidentiality and integrity of AFP authentication exchanges. The flaw was reported by Securin and tagged as an information disclosure issue; no public exploit identified at time of analysis. The CVSS 7.4 score with High attack complexity reflects that exploitation requires conditions beyond a simple network request, yet the impact on credential material and session integrity is significant.
Weak cryptographic algorithm usage in Sulu CMS exposes password reset tokens and API keys to prediction or brute-force attacks, potentially enabling unauthorized account takeover or API access. The flaw resides in the SecurityBundle's User.php and ResettingController.php, affecting all Sulu 2.x releases up to 2.6.22 and all 3.x releases from the first alpha through 3.0.5. No public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV, but the cryptographic weakness (CWE-327) is structurally exploitable by a motivated attacker with network access to the application.
Algorithm confusion in LibJWT 3.0.0 through 3.3.2 allows authentication bypass when RSA JWKs lack the 'alg' parameter. The OpenSSL backend incorrectly processes HMAC verification with a zero-length key when an RSA key without 'alg' is used to verify HS256/HS384/HS512 tokens, enabling attackers to forge valid JWTs without knowing any secret. Public exploit code exists (SSVC), making this a critical authentication bypass affecting applications using JWKS-based key lookup.
Weak credential generation in Ingeteam's Ingecon Sun EMS Board Technical Support access mechanism allows remote privilege escalation via cryptographic weakness. The SAT (Technical Support) access feature generates credentials using a weak hashing algorithm instead of cryptographically secure methods, enabling attackers to predict or derive privileged access credentials. CVSS 9.2 reflects network-accessible attack with high complexity but no authentication required. INCIBE coordinated disclosure confirms vendor patch availability, and a practical analysis of the vulnerability has been published by ReverseMode, indicating detailed technical understanding exists in the research community.
Remote attackers can decrypt tenant email addresses and metadata, and trigger denial-of-service conditions in MAXHUB Pivot client versions prior to v1.36.2 via hardcoded AES encryption keys. The vulnerability (CWE-327: Broken/Risky Cryptographic Algorithm) enables complete bypass of data confidentiality controls without authentication due to embedded cryptographic secrets in the application binary. CISA ICS-CERT disclosure indicates this affects operational technology environments where MAXHUB collaboration devices are deployed. No active exploitation confirmed in CISA KEV at time of analysis, though the attack vector is trivially exploitable (AV:N/AC:L/PR:N/UI:N) once the hardcoded key is extracted via reverse engineering.
Paramiko through version 4.0.0 before commit a448945 accepts SHA-1-based RSA signatures (ssh-rsa algorithm) in host key verification and authentication contexts, violating modern cryptographic standards and enabling signature forgery attacks. The vulnerability affects SSH clients and servers using Paramiko for key exchange and authentication, allowing remote attackers on the same network segment to potentially forge host keys or perform man-in-the-middle attacks by exploiting the deprecated SHA-1 hash algorithm. No public exploit code has been identified at time of analysis, though the issue is cryptographically fundamental and OSTIF security audit documentation exists.
Weak cryptographic hash usage in code-projects Chat System 1.0 allows remote attackers to compromise password security through the MD5 Hash Handler in update_user.php. The vulnerability stems from use of MD5 for password hashing, a cryptographically broken algorithm that enables rapid offline cracking of password hashes. Publicly disclosed exploit code exists, though exploitation requires high attack complexity. The vulnerability impacts password confidentiality with low direct severity but creates substantial downstream risks for user account compromise.
IBM Security Verify Access and Verify Identity Access products versions 10.0 through 10.0.9.1 and 11.0 through 11.0.2 use cryptographic algorithms weaker than expected, allowing authenticated network attackers to decrypt highly sensitive information. The vulnerability affects both containerized and non-containerized deployments across multiple major versions. CVSS 6.5 reflects high confidentiality impact with low attack complexity, though authenticated access is required.
Weak cryptographic implementation in Silex Technology SD-330AC wireless LAN adapters (v1.42 and earlier) and AMC Manager software (v5.0.2 and earlier) allows network-positioned attackers to intercept and decrypt network traffic through man-in-the-middle attacks. The vulnerability stems from use of broken or risky cryptographic algorithms (CWE-327), enabling confidentiality breach of transmitted data. EPSS score of 0.02% (4th percentile) indicates low observed exploitation probability, and CISA SSVC framework classifies this as non-exploited with non-automatable attacks requiring attacker positioning. No public exploit code or active exploitation reported at time of analysis.