CVE-2025-32874: n/a
An issue was discovered in Kaseya Rapid Fire Tools Network Detective through 2.0.16.0. A vulnerability exists in the EncryptionUtil class because symmetric encryption is implemented in a deterministic and non-randomized fashion. The method Encrypt(byte[] clearData) derives both the encryption key and the IV from a fixed, hardcoded input by using a static salt value. As a result, identical plaintext inputs always produce identical ciphertext outputs. This is true for both FIPS and non-FIPS generated passwords. In other words, there is a cryptographic implementation flaw in the password encryption mechanism. Although there are multiple encryption methods grouped under FIPS and non-FIPS classifications, the logic consistently results in predictable and reversible encrypted outputs due to the lack of per-operation randomness and encryption authentication.
CVE-2025-32874: n/a
Description
An issue was discovered in Kaseya Rapid Fire Tools Network Detective through 2.0.16.0. A vulnerability exists in the EncryptionUtil class because symmetric encryption is implemented in a deterministic and non-randomized fashion. The method Encrypt(byte[] clearData) derives both the encryption key and the IV from a fixed, hardcoded input by using a static salt value. As a result, identical plaintext inputs always produce identical ciphertext outputs. This is true for both FIPS and non-FIPS generated passwords. In other words, there is a cryptographic implementation flaw in the password encryption mechanism. Although there are multiple encryption methods grouped under FIPS and non-FIPS classifications, the logic consistently results in predictable and reversible encrypted outputs due to the lack of per-operation randomness and encryption authentication.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- mitre
- Date Reserved
- 2025-04-11T00:00:00.000Z
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 6877bb51a83201eaacdbe125
Added to database: 7/16/2025, 2:46:41 PM
Last updated: 7/16/2025, 2:46:41 PM
Views: 1
Related Threats
CVE-2025-32353: n/a
UnknownCVE-2025-5994: CWE-349 Acceptance of Extraneous Untrusted Data With Trusted Data in NLnet Labs Unbound
HighCVE-2025-37104: Vulnerability in Hewlett Packard Enterprise (HPE) HPE Telco Service Orchestrator
HighCVE-2025-40918: CWE-340 Generation of Predictable Numbers or Identifiers in EHUELS Authen::SASL::Perl::DIGEST_MD5
UnknownCVE-2025-3871: CWE-862 Missing Authorization in Fortra GoAnywhere MFT
MediumActions
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.