CVE-2025-13532
Weak Password Hash Algorithm in Fortra BoKS Server Agent
Publication date: 2025-12-16
Last updated on: 2025-12-16
Assigner: Fortra
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| fortra | core_privileged_access_manager | 8.1 |
| fortra | core_privileged_access_manager | 9.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-916 | The product generates a hash for a password, but it uses a scheme that does not provide a sufficient level of computational effort that would make password cracking attacks infeasible or expensive. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability involves insecure default settings in the Server Agent component of Fortra's Core Privileged Access Manager (BoKS). Specifically, it can cause the system to select weak password hash algorithms, which reduces the security of stored passwords. It affects BoKS Server Agent 9.0 instances that support yescrypt and operate within a BoKS 8.1 domain.
How can this vulnerability impact me? :
The impact of this vulnerability is that weak password hash algorithms may be used, making it easier for attackers with local access to compromise password hashes. This can lead to unauthorized access to privileged accounts or sensitive systems, potentially resulting in data breaches or other security incidents.