CVE-2025-2545 identifies a cryptographic vulnerability in Best Practical Solutions' Request Tracker software versions prior to 5.0.8. The vulnerability arises from the use of the Triple DES (3DES) algorithm to protect emails sent using S/MIME encryption. 3DES, once a widely used symmetric encryption standard, is now considered obsolete due to its susceptibility to birthday attacks, which exploit the relatively small block size (64 bits) to find collisions and recover plaintext data. This weakness undermines the confidentiality of encrypted emails, potentially allowing attackers who can intercept these messages to decrypt sensitive information. The vulnerability does not require authentication or privileges to exploit but does require user interaction (opening or receiving encrypted emails). The CVSS 4.0 vector indicates a network attack vector with high attack complexity and low impact on confidentiality, no impact on integrity or availability, and no privileges required. No known exploits have been reported in the wild, and no patches are linked in the provided data, but the vendor has released version 5.0.8 to address this issue by replacing 3DES with modern, secure cryptographic algorithms. The vulnerability is classified under CWE-327, which covers the use of broken or risky cryptographic algorithms. This issue primarily affects the confidentiality of email communications within organizations using vulnerable versions of Request Tracker.

For European organizations, the primary impact is the potential compromise of confidentiality in email communications protected by S/MIME encryption using 3DES within Request Tracker. This could lead to unauthorized disclosure of sensitive or confidential information, including internal communications, customer data, or intellectual property. Although the CVSS score is low, the risk is non-negligible for sectors handling sensitive data such as finance, healthcare, legal, and government agencies. Exploitation requires interception of encrypted emails and user interaction, which limits the attack surface but does not eliminate risk. Additionally, failure to address this vulnerability may result in non-compliance with GDPR and other data protection regulations that mandate the use of strong encryption to protect personal data. The impact on integrity and availability is negligible, but the confidentiality breach could damage organizational reputation and trust.

Organizations should immediately upgrade Request Tracker to version 5.0.8 or later, which replaces the insecure 3DES algorithm with modern cryptographic standards such as AES. Until the upgrade is applied, organizations should consider disabling S/MIME email encryption within Request Tracker or configuring it to use stronger algorithms if possible. Network monitoring should be enhanced to detect unusual interception or decryption attempts on email traffic. Additionally, organizations should review their cryptographic policies to ensure deprecated algorithms like 3DES are phased out across all systems. Employee awareness training should emphasize the risks of opening suspicious encrypted emails. For compliance, organizations should document remediation efforts and verify that encryption standards meet GDPR and other relevant regulatory requirements. Finally, maintain vigilance for any emerging exploits targeting this vulnerability.