CVE-2025-46660 identifies a security vulnerability in the 4C Strategies Exonaut software version 21.6, where user passwords stored in the database are hashed without the use of a salt. Password hashing is a critical security control designed to protect stored passwords by transforming them into a fixed-length string that is computationally infeasible to reverse. However, the absence of a salt—a unique, random value added to each password before hashing—significantly weakens this protection. Without salting, identical passwords produce identical hashes, enabling attackers to leverage precomputed hash tables (rainbow tables) or perform efficient dictionary and brute-force attacks against the password database. This vulnerability increases the risk that if an attacker gains access to the password database, they can more easily recover user passwords, potentially leading to unauthorized access to user accounts and further compromise of the system. Although no known exploits are currently reported in the wild, the fundamental weakness in password storage practices presents a latent risk. The lack of a CVSS score suggests this vulnerability has not yet been fully assessed for severity, but the technical details indicate a notable security concern. The vulnerability affects the Exonaut 21.6 version, but no specific affected versions or patches are listed, indicating that organizations using this software should proactively evaluate their exposure and remediation options.

For European organizations using 4C Strategies Exonaut 21.6, this vulnerability poses a significant risk to the confidentiality and integrity of user credentials. If attackers obtain the password hashes, they can potentially recover passwords more easily due to the lack of salting, leading to unauthorized access to sensitive systems and data. This could result in data breaches, unauthorized data manipulation, and disruption of business operations. Given that Exonaut is a platform used for project and risk management, compromised accounts could allow attackers to access sensitive project information, strategic plans, or personal data of employees and partners. The impact is heightened in sectors with strict data protection regulations such as GDPR, where data breaches can lead to substantial fines and reputational damage. Additionally, compromised credentials could be used for lateral movement within networks, increasing the scope of potential damage. Although no active exploits are reported, the vulnerability represents a latent threat that could be exploited if attackers gain database access through other means.

European organizations should immediately assess whether they are using 4C Strategies Exonaut 21.6 and confirm if their password storage mechanism lacks salting. Specific mitigation steps include: 1) Coordinating with 4C Strategies to obtain patches or updates that implement salted password hashing using strong algorithms such as bcrypt, Argon2, or PBKDF2. 2) If patches are unavailable, plan for a secure password reset for all users combined with migration to a more secure password storage scheme. 3) Implement additional security controls around the database storing password hashes, including strict access controls, encryption at rest, and monitoring for unauthorized access attempts. 4) Conduct regular audits of password policies and enforce strong password complexity requirements to reduce the risk of password cracking. 5) Employ multi-factor authentication (MFA) to mitigate the risk of compromised passwords leading to account takeover. 6) Monitor threat intelligence sources for any emerging exploits targeting this vulnerability. 7) Educate users about phishing and credential security to reduce the risk of credential theft through social engineering.