CVE-2025-59745 identifies a cryptographic vulnerability in AndSoft's e-TMS version 25.03, where the application uses the MD5 hashing algorithm to encrypt passwords. MD5 is widely recognized as a broken and insecure cryptographic hash function due to its susceptibility to collision attacks and rapid hash cracking using modern hardware such as GPUs and ASICs. The use of MD5 for password hashing means that attackers who gain access to hashed password data can efficiently reverse or find collisions, exposing user credentials. This vulnerability does not require authentication or user interaction to exploit, as it targets the inherent weakness in the cryptographic algorithm itself. The CVSS v4.0 score of 6.9 (medium severity) reflects the network attack vector, low attack complexity, and no privileges or user interaction needed, but limited impact on confidentiality (low), and no impact on integrity or availability. Although no known exploits are currently reported in the wild, the vulnerability poses a significant risk if attackers obtain hashed password data, potentially leading to unauthorized access and credential compromise. The lack of a patch or mitigation from the vendor at this time increases the urgency for organizations to implement compensating controls. The root cause is the continued use of an outdated cryptographic primitive (MD5) instead of modern, secure password hashing algorithms such as bcrypt, Argon2, or PBKDF2, which provide resistance against brute force and collision attacks.

For European organizations using AndSoft e-TMS v25.03, this vulnerability could lead to the exposure of user credentials if password hashes are leaked or accessed by attackers. This could result in unauthorized access to transportation management systems, potentially disrupting logistics operations, compromising sensitive business data, and enabling lateral movement within corporate networks. Given the critical role of transportation management in supply chains, exploitation could indirectly impact availability of goods and services. The medium severity rating suggests that while the vulnerability is not trivially exploitable for full system compromise, the confidentiality risk to user credentials is significant. Organizations in sectors such as manufacturing, logistics, and retail that rely on e-TMS for operational management are particularly at risk. Additionally, the lack of authentication or user interaction required for exploitation means attackers can target exposed password databases remotely if they gain access through other means. The vulnerability also raises compliance concerns under GDPR, as compromised credentials could lead to unauthorized access to personal data, triggering breach notification requirements and potential regulatory penalties.

Immediate mitigation should focus on replacing the MD5 hashing mechanism with a secure, modern password hashing algorithm such as Argon2, bcrypt, or PBKDF2 with appropriate salting and iteration counts. Since no official patch is currently available, organizations should engage with AndSoft for an update timeline and consider applying compensating controls such as network segmentation to limit access to the e-TMS system and its databases. Implementing multi-factor authentication (MFA) can reduce the risk of credential misuse even if hashes are compromised. Regularly monitoring for unusual login activity and conducting password audits to enforce strong password policies will help mitigate risk. Additionally, organizations should ensure encrypted backups and secure storage of password hashes to prevent unauthorized access. If possible, migrating to a newer version of e-TMS that addresses this vulnerability or switching to alternative solutions with secure cryptography should be evaluated. Finally, incident response plans should be updated to address potential credential compromise scenarios related to this vulnerability.