CVE-2025-67112
Received Received - Intake

Hard-Coded AES Key in Sercomm SCE4255W Enables Privilege Escalation

Vulnerability report for CVE-2025-67112, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-03-19

Last updated on: 2026-03-24

Assigner: MITRE

Description

Use of a hard-coded AES-256-CBC key in the configuration backup/restore implementation of Small Cell Sercomm SCE4255W (FreedomFi Englewood) firmware before DG3934v3@2308041842 allows remote authenticated users to decrypt, modify, and re-encrypt device configurations, enabling credential manipulation and privilege escalation via the GUI import/export functions.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-03-19
Last Modified
2026-03-24
Generated
2026-07-06
AI Q&A
2026-03-19
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
sercomm sce4255w to dg3934v3@2308041842 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-321 The product uses a hard-coded, unchangeable cryptographic key.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability involves the use of a hard-coded AES-256-CBC encryption key in the configuration backup and restore feature of the Small Cell Sercomm SCE4255W firmware before version DG3934v3@2308041842.

Because the encryption key is hard-coded and not unique per device, remote authenticated users can decrypt, modify, and then re-encrypt device configuration files.

This manipulation is possible through the device's graphical user interface (GUI) import and export functions, allowing attackers to alter credentials and escalate privileges on the device.

Impact Analysis

The vulnerability allows remote authenticated users to gain unauthorized control over device configurations by decrypting and modifying them.

This can lead to credential manipulation, which may result in privilege escalation, giving attackers higher access rights than intended.

Such unauthorized access and control can compromise the security and integrity of the affected device and potentially the network it operates within.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

I don't know

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-67112. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart