CVE-2025-13175 identifies a security vulnerability in YSoft SafeQ 6, specifically versions before MU106, where the password field used in the Workflow Connector is not properly masked in the user interface. This flaw is categorized under CWE-549 (Missing Password Field Masking), meaning that the password input is rendered in a way that allows it to be revealed through browser developer or inspection tools by an administrator with UI access. The vulnerability affects only those customers who have configured a password-protected scan workflow connector. Because the password is exposed in the UI's HTML or JavaScript code, an administrator can easily extract the plaintext password without needing additional privileges or authentication bypass. The CVSS 4.0 vector indicates the attack vector is network-based (AV:N), with low attack complexity (AC:L), no privileges required for the attack itself (PR:H means privileges are required but here it means high privileges are needed to access the UI), no user interaction (UI:N), and low impact on confidentiality (VC:L), with no impact on integrity or availability. This vulnerability does not require user interaction and does not affect system availability or integrity directly but compromises confidentiality of sensitive credentials. No known exploits have been reported in the wild, but the exposure of passwords could facilitate unauthorized access to scanning workflows, potentially leading to data leakage or misuse of scanning infrastructure. The issue is resolved in version MU106 and later, although no patch links are currently provided. The vulnerability is primarily a UI security issue but can have broader implications if the exposed credentials are reused or if scanning workflows integrate with sensitive systems.

For European organizations, the exposure of workflow connector passwords in YSoft SafeQ 6 can lead to unauthorized access to scanning workflows, potentially allowing attackers or malicious insiders to intercept, alter, or redirect scanned documents. This could result in leakage of sensitive or confidential information, especially in sectors like government, finance, healthcare, and legal services where document scanning is frequent and sensitive. The impact on confidentiality is moderate since the vulnerability requires administrator UI access, limiting the attacker pool to insiders or compromised admin accounts. However, given that scanning workflows often integrate with document management systems or email, the risk of lateral movement or data exfiltration increases if credentials are exposed. The vulnerability does not affect system availability or integrity directly but could undermine trust in document handling processes. European organizations with strict data protection regulations such as GDPR must consider the risk of unauthorized data exposure and potential compliance violations. The lack of known exploits reduces immediate risk but does not eliminate the threat, especially in environments with weak internal controls or insufficient privilege management.

To mitigate CVE-2025-13175, European organizations should: 1) Upgrade YSoft SafeQ 6 to version MU106 or later as soon as the patch becomes available to ensure the password field is properly masked. 2) Restrict administrator UI access strictly to trusted personnel and implement strong authentication and session management controls to prevent unauthorized access. 3) Conduct regular audits of administrator activities and monitor for unusual access patterns to the SafeQ UI. 4) Where possible, avoid using password-protected scan workflow connectors or rotate passwords frequently to limit exposure duration. 5) Educate administrators about the risk of password exposure through browser tools and enforce policies against sharing or storing passwords insecurely. 6) Implement network segmentation and access controls to isolate scanning infrastructure from other critical systems, reducing the impact of credential exposure. 7) Review integration points of scanning workflows with other systems to ensure that compromised credentials cannot be leveraged for further attacks. 8) Maintain an incident response plan that includes steps for credential compromise scenarios related to scanning workflows.