CVE-2025-67112
Hard-Coded AES Key in Sercomm SCE4255W Enables Privilege Escalation
Publication date: 2026-03-19
Last updated on: 2026-03-24
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| sercomm | sce4255w | to dg3934v3@2308041842 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-321 | The product uses a hard-coded, unchangeable cryptographic key. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
The vulnerability allows remote authenticated users to gain unauthorized control over device configurations by decrypting and modifying them.
This can lead to credential manipulation, which may result in privilege escalation, giving attackers higher access rights than intended.
Such unauthorized access and control can compromise the security and integrity of the affected device and potentially the network it operates within.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
I don't know
Can you explain this vulnerability to me?
This vulnerability involves the use of a hard-coded AES-256-CBC encryption key in the configuration backup and restore feature of the Small Cell Sercomm SCE4255W firmware before version DG3934v3@2308041842.
Because the encryption key is hard-coded and not unique per device, remote authenticated users can decrypt, modify, and then re-encrypt device configuration files.
This manipulation is possible through the device's graphical user interface (GUI) import and export functions, allowing attackers to alter credentials and escalate privileges on the device.