CVE-2025-65998
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-11-24

Last updated on: 2025-11-26

Assigner: Apache Software Foundation

Description
Apache Syncope can be configured to store the user password values in the internal database with AES encryption, though this is not the default option. When AES is configured, the default key value, hard-coded in the source code, is always used. This allows a malicious attacker, once obtained access to the internal database content, to reconstruct the original cleartext password values. This is not affecting encrypted plain attributes, whose values are also stored using AES encryption. Users are recommended to upgrade to version 3.0.15 / 4.0.3, which fix this issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-11-24
Last Modified
2025-11-26
Generated
2026-06-16
AI Q&A
2025-11-24
EPSS Evaluated
2026-06-15
NVD
CVE-2025-65998
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
apache syncope From 2.1.0 (inc) to 2.1.14 (inc)
apache syncope From 3.0.0 (inc) to 3.0.15 (exc)
apache syncope From 4.0.0 (inc) to 4.0.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-321 The product uses a hard-coded, unchangeable cryptographic key.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability occurs in Apache Syncope when it is configured to store user passwords in the internal database using AES encryption. However, the AES encryption uses a default key that is hard-coded in the source code. Because of this, if an attacker gains access to the internal database, they can use the known default key to decrypt and recover the original cleartext passwords.

Impact Analysis

If an attacker obtains access to the internal database, they can decrypt user passwords due to the use of a hard-coded default AES key. This compromises user credentials, potentially leading to unauthorized access to user accounts and further exploitation of the system or connected services.

Mitigation Strategies

Users are recommended to upgrade Apache Syncope to version 3.0.15 or 4.0.3, which fix this issue related to the use of a hard-coded AES encryption key for stored passwords.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-65998. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart