CVE-2025-57430
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-22

Last updated on: 2025-10-14

Assigner: MITRE

Description
Creacast Creabox Manager 4.4.4 exposes sensitive configuration data via a publicly accessible endpoint /get. When accessed, this endpoint returns internal configuration including the creacodec.lua file, which contains plaintext admin credentials.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-22
Last Modified
2025-10-14
Generated
2026-06-16
AI Q&A
2025-09-22
EPSS Evaluated
2026-06-15
NVD
CVE-2025-57430
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
creacast creabox_manager 4.4.4
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in Creacast Creabox Manager 4.4.4 allows anyone to access a publicly available endpoint (/get) that exposes sensitive internal configuration data. Specifically, it returns the creacodec.lua file, which contains plaintext administrator credentials, potentially allowing unauthorized access.

Impact Analysis

The exposure of plaintext admin credentials through a public endpoint can lead to unauthorized access to the system, allowing attackers to control or manipulate the device or software, potentially leading to data breaches, service disruption, or further exploitation.

Detection Guidance

You can detect this vulnerability by checking if the /get endpoint on your Creacast Creabox Manager 4.4.4 instance is publicly accessible and returns sensitive configuration data. For example, you can use a command like: curl http://<target-ip-or-hostname>/get to see if the internal configuration, including creacodec.lua with plaintext admin credentials, is exposed.

Mitigation Strategies

Immediate mitigation steps include restricting access to the /get endpoint to authorized users only, disabling or removing the endpoint if not needed, and changing any exposed plaintext admin credentials found in the creacodec.lua file. Additionally, monitor access logs for unauthorized requests to this endpoint.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-57430. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart