CVE-2025-10010
Received Received - Intake
Configuration File Integrity Bypass in CryptoPro Secure Disk Enables Root Code Execution

Publication date: 2026-02-24

Last updated on: 2026-03-13

Assigner: SEC Consult Vulnerability Lab

Description
The CPSD CryptoPro Secure Disk application boots a small Linux operating system to perform user authentication before using BitLocker to decrypt the Windows partition. The system is located on a separate unencrypted partition which can be reached by anyone with access to the hard disk. Multiple checks are performed to validate the integrity of the Linux operating system and the CryptoPro Secure Disk application files. When files are changed an error is shown on system start. One of the checks is the Linux kernel's Integrity Measurement Architecture (IMA). It was identified that configuration files are not validated by the IMA and can then (if not checked by other measures) be changed. This allows an attacker to execute arbitrary code in the context of the root user and enables an attacker to e.g., plant a backdoor and access data during execution.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-24
Last Modified
2026-03-13
Generated
2026-05-07
AI Q&A
2026-02-24
EPSS Evaluated
2026-05-05
NVD
CVE-2025-10010
EUVD
EUVD-2025-208086
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
cpsd cryptopro_secure_disk to 7.6.6 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-353 The product uses a transmission protocol that does not include a mechanism for verifying the integrity of the data during transmission, such as a checksum.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

[{'type': 'paragraph', 'content': 'The vulnerability affects the CPSD CryptoPro Secure Disk application, which uses a small Linux operating system on an unencrypted partition to authenticate users before decrypting the Windows partition with BitLocker.'}, {'type': 'paragraph', 'content': "Because the partition is unencrypted and accessible to anyone with physical access to the device, an attacker can modify configuration files that are not validated by the Linux kernel's Integrity Measurement Architecture (IMA)."}, {'type': 'paragraph', 'content': 'This allows the attacker to execute arbitrary code with root privileges during system startup, for example by placing a malicious script in the DHCP daemon’s enter-hook script, enabling persistent root access without triggering integrity errors.'}] [1]


How can this vulnerability impact me? :

An attacker with physical access to the device or hard drive can exploit this vulnerability to gain root-level control by modifying unprotected configuration files.

This can lead to the installation of backdoors, unauthorized persistent access, and the ability to execute arbitrary code during system startup.

Additionally, sensitive data such as network credentials and certificates stored in cleartext in the Linux environment can be accessed, potentially allowing unauthorized access to internal networks or bypassing network protections like 802.1x.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

[{'type': 'paragraph', 'content': 'This vulnerability involves modification of configuration files on an unencrypted Linux partition used by CPSD CryptoPro Secure Disk. Detection involves checking for unauthorized changes to configuration files, especially the DHCP daemon’s enter-hook script located at /etc/dhcpcd.enter-hook.'}, {'type': 'paragraph', 'content': "Since the Linux kernel's Integrity Measurement Architecture (IMA) does not validate these configuration files, manual inspection or file integrity monitoring tools should be used to detect changes."}, {'type': 'paragraph', 'content': 'Suggested commands to detect suspicious modifications include:'}, {'type': 'list_item', 'content': 'Check the modification time and contents of the enter-hook script: `ls -l /etc/dhcpcd.enter-hook` and `cat /etc/dhcpcd.enter-hook`'}, {'type': 'list_item', 'content': 'Verify other configuration files on the unencrypted partition for unexpected changes.'}, {'type': 'list_item', 'content': 'Check for unexpected files or scripts in the /tmp directory that might contain sensitive data or malicious code.'}, {'type': 'list_item', 'content': 'Use file integrity monitoring tools (e.g., tripwire, AIDE) configured to monitor the unencrypted partition files.'}] [1]


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include applying the vendor-provided patches by upgrading CPSD CryptoPro Secure Disk to version 7.6.6, 7.7.1, or later.

If patching is not immediately possible, enable encryption of the Pre-Boot Authentication (PBA) partition manually, a feature available since version 7.6.0, to prevent unauthorized modification of the unencrypted partition.

Additionally, conduct a comprehensive security review to identify and remediate any further issues related to this vulnerability.

Restrict physical access to devices to prevent attackers from accessing or modifying the unencrypted partition.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart