CVE-2025-27458
BaseFortify
Publication date: 2025-07-03
Last updated on: 2026-02-06
Assigner: SICK AG
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| endress | meac300-fnade4_firmware | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-327 | The product uses a broken or risky cryptographic algorithm or protocol. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability affects the VNC authentication mechanism, which uses a challenge-response system where both server and client share the same password for encryption. The server sends a challenge to the client, which encrypts it and sends it back. The server then encrypts the challenge locally and compares the responses. Because all VNC communication is unencrypted, an attacker can intercept the challenge and response and attempt to derive the password from this information.
How can this vulnerability impact me? :
An attacker who intercepts the unencrypted VNC communication can obtain the challenge and response values and use them to try to derive the password. If successful, the attacker could gain unauthorized access to the VNC server, potentially compromising the confidentiality of the system without affecting integrity or availability.