CVE-2025-10080
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-08

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability has been found in running-elephant Datart up to 1.0.0-rc3. Affected by this issue is the function getTokensecret of the file datart/security/src/main/java/datart/security/util/AESUtil.java of the component API. The manipulation leads to use of hard-coded cryptographic key . The attack is possible to be carried out remotely. The attack is considered to have high complexity. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-08
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2025-09-08
EPSS Evaluated
2026-06-14
NVD
CVE-2025-10080
EUVD
EUVD-2025-33986
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
running-elephant datart 1.0.0-rc3
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-321 The product uses a hard-coded, unchangeable cryptographic key.
CWE-320 Key Management Errors
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-10080 is a vulnerability in Elephant Datart version 1.0.0-rc3 where a hard-coded cryptographic key is used in the AES encryption method getTokensecret. This means that sensitive information, such as database passwords, is encrypted with a default key that attackers can know and use to decrypt the data. As a result, attackers can obtain sensitive credentials by intercepting API responses that expose encrypted passwords and decrypting them using the hard-coded key. [1, 2, 3]

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive information, specifically database credentials. If the default AES key is not changed by the administrator, an attacker can remotely decrypt encrypted passwords and gain access to the database. This compromises the confidentiality of the system and may allow attackers to further exploit the system or access sensitive data. [1, 2, 3]

Detection Guidance

This vulnerability can be detected by capturing and analyzing network traffic for API response packets that expose database usernames in plaintext and AES-encrypted passwords. Since the AES encryption uses a hard-coded key, you can attempt to decrypt captured encrypted passwords using the known default key from the getTokensecret method in AESUtil.java. Commands such as 'tcpdump' or 'Wireshark' can be used to capture network packets. For example, use 'tcpdump -i <interface> -w capture.pcap port <datart_api_port>' to capture traffic, then analyze the capture for sensitive data exposure. Additionally, reviewing the source code or binaries for the presence of the hard-coded key in AESUtil.java can help detect vulnerable installations. [1, 2]

Mitigation Strategies

Immediate mitigation steps include replacing or patching the affected component to remove the hard-coded cryptographic key. Since no known countermeasures or mitigations have been documented, it is recommended to upgrade to a version of Elephant Datart that does not contain this vulnerability or switch to an alternative product. Additionally, restrict access to the API to trusted users and monitor for suspicious activity. If possible, change the default AES key to a secure, unique key to prevent attackers from decrypting sensitive data. [3, 1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-10080. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart