CVE-2025-5922 is a medium-severity vulnerability affecting TSplus Remote Access, a remote desktop and application access solution widely used for secure remote administration. The vulnerability arises from insufficient protection of credentials, specifically the PIN code used to restrict access to the TSplus Remote Access Admin Tool. In versions prior to v18.40.6.17 (including Long-Term Support versions v17.2025.6.27 and v16.2025.6.27), the hash of the PIN code is stored unsafely in the Windows system registry. This hash is not salted, which means it is vulnerable to offline brute-force attacks using rainbow tables. Since the registry key is accessible to regular (non-administrator) users, an attacker with low privileges on the system can extract the hash and attempt to recover the PIN without triggering alerts or requiring elevated permissions. The vulnerability does not require user interaction and can be exploited locally with low attack complexity. The CVSS 4.0 score is 4.8 (medium), reflecting limited attack vector (local), low privileges required, and no user interaction, but with limited confidentiality impact as the PIN is a single factor and the scope is local. No known exploits in the wild have been reported yet. The vulnerability is classified under CWE-522 (Insufficiently Protected Credentials) and CWE-759 (Use of a One-Way Hash without a Salt). The issue has been addressed in patched versions of TSplus Remote Access, and users are advised to upgrade to versions v18.40.6.17 or later, or the respective patched LTS versions.

For European organizations, this vulnerability poses a risk primarily to the confidentiality and integrity of remote access administrative controls. If an attacker gains low-level access to a system running an unpatched TSplus Remote Access version, they could extract the PIN hash and recover the PIN, thereby potentially escalating privileges to access the Admin Tool. This could lead to unauthorized remote access, lateral movement, and compromise of sensitive systems or data. Organizations relying on TSplus for remote administration, especially in sectors with strict regulatory requirements such as finance, healthcare, and critical infrastructure, could face operational disruptions and compliance violations. The local nature of the attack limits remote exploitation, but insider threats or attackers who have already compromised user accounts could leverage this vulnerability to deepen access. The absence of salting in the PIN hash storage also indicates a design weakness that may undermine trust in the product's security posture. Given the widespread use of TSplus in European SMEs and enterprises, the vulnerability could have a broad impact if not remediated promptly.

1. Immediate upgrade to the latest patched versions of TSplus Remote Access (v18.40.6.17 or later) or the corresponding patched LTS versions (v17.2025.6.27 and v16.2025.6.27) to ensure the PIN hash is stored securely with proper salting. 2. Restrict access permissions to the Windows registry keys where TSplus stores configuration data, ensuring that only trusted administrators have read access. 3. Implement endpoint detection and response (EDR) solutions to monitor and alert on unusual access to registry hives or attempts to extract credential hashes. 4. Enforce multi-factor authentication (MFA) for remote access where possible to reduce reliance on the PIN alone. 5. Conduct regular audits of user privileges and remove unnecessary local accounts that could be leveraged to exploit this vulnerability. 6. Educate administrators about the risks of enabling the "Disable UAC" option, which weakens access restrictions. 7. Monitor vendor advisories for any updates or additional patches related to this vulnerability. 8. Consider network segmentation to isolate systems running TSplus Remote Access from less trusted user groups to limit local attack vectors.