CVE-2025-51540 identifies a cryptographic weakness in the EzGED3 software version 3.5.0, where user passwords are stored using an insecure hashing scheme: md5(md5(password)). This double application of MD5 hashing is fundamentally flawed because MD5 is a deprecated cryptographic hash function known for its vulnerabilities to collision attacks and rapid computation speed, which facilitates brute-force and dictionary attacks. Additionally, the absence of salting—random data added to passwords before hashing—exacerbates the risk by allowing attackers to leverage precomputed hash tables (rainbow tables) and GPU-accelerated cracking tools to efficiently recover plaintext passwords from stolen hash databases. The vulnerability does not require user interaction or authentication to exploit once password hashes are obtained, which could occur through other means such as database breaches or insider threats. The vendor has acknowledged the issue and released a fix in version 3.5.72.27183, presumably implementing a more secure password hashing mechanism. No known exploits are currently reported in the wild, but the weakness presents a significant risk if password hashes are leaked.

For European organizations using EzGED3 3.5.0, this vulnerability poses a substantial risk to user credential confidentiality. Compromised password hashes could lead to unauthorized access to user accounts, potentially escalating to broader system compromise depending on the privileges of affected accounts. Given the ease of offline brute-force attacks against MD5 hashes, attackers can quickly recover passwords, especially if users employ weak or common passwords. This could result in data breaches, loss of sensitive information, and reputational damage. Furthermore, if the same passwords are reused across multiple systems, the impact could extend beyond EzGED3, affecting other organizational assets. The vulnerability undermines compliance with European data protection regulations such as GDPR, which mandates adequate protection of personal data, including authentication credentials.

European organizations should immediately upgrade EzGED3 installations to version 3.5.72.27183 or later, where the vendor has addressed the insecure password hashing. Until the upgrade is applied, organizations should enforce strong password policies to reduce the risk of password cracking. Additionally, implementing multi-factor authentication (MFA) can mitigate the impact of compromised passwords. Organizations should audit their user databases for password hash exposure and monitor for suspicious login activities. If hashes are suspected to be leaked, a forced password reset should be conducted. From a development perspective, organizations should advocate for or verify the use of modern, slow, and salted password hashing algorithms such as Argon2, bcrypt, or PBKDF2 in future software versions. Network segmentation and strict access controls around user credential storage systems can further reduce the risk of hash theft.