CVE-2025-51540
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-08-19

Last updated on: 2025-08-20

Assigner: MITRE

Description
EzGED3 3.5.0 stores user passwords using an insecure hashing scheme: md5(md5(password)). This hashing method is cryptographically weak and allows attackers to perform efficient offline brute-force attacks if password hashes are disclosed. The lack of salting and use of a fast, outdated algorithm makes it feasible to recover plaintext credentials using precomputed tables or GPU-based cracking tools. The vendor states that the issue is fixed in 3.5.72.27183.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-08-19
Last Modified
2025-08-20
Generated
2026-05-07
AI Q&A
2025-08-19
EPSS Evaluated
2026-05-05
NVD
CVE-2025-51540
EUVD
EUVD-2025-25209
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
ezged3 ezged3 3.5.72.27183
ezged3 ezged3 3.5.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-260 The product stores a password in a configuration file that might be accessible to actors who do not know the password.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

EzGED3 version 3.5.0 stores user passwords using a weak hashing method: md5(md5(password)). This outdated and unsalted hashing scheme allows attackers to efficiently perform offline brute-force attacks to recover plaintext passwords if they obtain the password hashes. Additionally, an associated vulnerability (CVE-2025-51539) enables attackers to read arbitrary files, including database files containing these weakly hashed passwords and password reset tokens, leading to a full administrative takeover without needing code execution or privilege escalation. [1]


How can this vulnerability impact me? :

This vulnerability can lead to a complete administrative takeover of the EzGED3 application. Attackers can access sensitive files and database credentials through arbitrary file read exploits, extract weakly hashed passwords and password reset tokens, and reset passwords without authorization. This compromises user accounts, exposes sensitive data, and allows attackers to control the application fully. [1]


How can this vulnerability be detected on my network or system? Can you suggest some commands?

Detection involves checking for the presence of vulnerable EzGED3 versions prior to 3.5.72.27183 and verifying if the /data/ directory is publicly accessible with directory listing enabled. You can attempt to access the /data/ folder and look for files like ezOpenFile.html or showparaphdocs.php. Commands to detect this include using curl or wget to fetch these files, for example: curl -I http://<target>/data/ to check directory listing, and curl http://<target>/data/ezOpenFile.html to see if the file is accessible. Additionally, scanning for exposed phpMyAdmin interfaces and checking for the presence of the vulnerable PHP script can help detect exploitation attempts. [1]


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include upgrading EzGED3 to version 3.5.72.27183 or later, as the vendor has fixed the issue in this release. Additionally, disable directory listing on the /data/ folder to prevent exposure of sensitive files. Restrict access to sensitive files and directories, especially those containing configuration and database credentials. If possible, restrict or disable access to phpMyAdmin interfaces or secure them with strong authentication. Finally, review and rotate any exposed credentials and reset passwords to prevent unauthorized access. [1]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart