CVE-2025-32874
BaseFortify
Publication date: 2025-07-16
Last updated on: 2025-11-24
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| kaseya | rapidfire_tools_network_detective | * |
| kaseya | rapidfire_tools_network_detective | 2.0.16.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-311 | The product does not encrypt sensitive or critical information before storage or transmission. |
| CWE-326 | The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a cryptographic flaw in the EncryptionUtil class of Kaseya Rapid Fire Tools Network Detective through version 2.0.16.0. The encryption method uses symmetric encryption in a deterministic and non-randomized way, deriving both the encryption key and initialization vector (IV) from a fixed, hardcoded input with a static salt. This causes identical plaintext inputs to always produce identical ciphertext outputs, making the encryption predictable and reversible due to the lack of randomness and encryption authentication.
How can this vulnerability impact me? :
Because the encryption is deterministic and predictable, attackers could potentially identify when the same data is encrypted multiple times, making it easier to analyze or reverse the encrypted data. This weakens the confidentiality of sensitive information, potentially exposing passwords or other protected data to unauthorized parties.