CVE-2025-61680 is a medium-severity vulnerability affecting the Minecraft RCON Terminal, a Visual Studio Code extension developed by jaketcooper designed to facilitate Minecraft server management. The vulnerability exists in versions 0.1.0 through 2.0.6, where the extension stores the server password in plaintext within the VS Code settings.json configuration file. This file is accessible on the local filesystem and is not encrypted or obfuscated, which means that any user or process with access to the user's profile directory can read the password directly. The vulnerability is classified under CWE-256, which pertains to the plaintext storage of sensitive information. The issue is resolved in version 2.1.0 of the extension. The CVSS 4.0 base score is 6.6, reflecting a medium severity level, with an attack vector of network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and high impact on confidentiality (VC:H) but no impact on integrity or availability. This means an attacker can remotely exploit this vulnerability without authentication or user interaction, primarily by gaining access to the victim's local environment or through other means to read the plaintext password stored locally. Since the password is stored in plaintext, compromise of the password could lead to unauthorized access to the Minecraft server via RCON, potentially allowing an attacker to execute remote commands on the server, which could disrupt server operations or lead to further compromise. There are no known exploits in the wild at the time of publication, and no direct patch links were provided, but upgrading to version 2.1.0 is the recommended remediation.

For European organizations running Minecraft servers managed via the Minecraft RCON Terminal extension, this vulnerability poses a risk of unauthorized server access. If an attacker gains access to a developer or administrator's workstation where the VS Code extension is installed, they can retrieve the plaintext password and remotely control the Minecraft server. This could lead to server disruption, data loss, or unauthorized changes to server configurations. While Minecraft servers are often used for gaming and educational purposes, some organizations use them for community engagement or internal training, so disruption could impact business continuity or reputation. Additionally, if the compromised server is part of a larger network, attackers could use it as a foothold for lateral movement. The vulnerability's impact is heightened in environments where endpoint security is weak or where multiple administrators share workstations. Since the password is stored locally and no authentication or user interaction is required for exploitation, the risk is significant if local system access is obtained. However, the vulnerability does not directly allow remote exploitation over the internet without prior access to the victim's machine or configuration files.

1. Immediate upgrade to Minecraft RCON Terminal extension version 2.1.0 or later, where the plaintext password storage issue is fixed. 2. Avoid storing sensitive passwords in VS Code settings.json or any plaintext configuration files; instead, use secure credential storage mechanisms such as OS-level credential managers or encrypted vaults integrated with the development environment. 3. Restrict access permissions to the VS Code settings directory to limit exposure of sensitive files to unauthorized users or processes. 4. Implement endpoint security controls including disk encryption, strong user authentication, and malware protection to prevent unauthorized local access. 5. Regularly audit and rotate Minecraft server RCON passwords to limit the window of exposure if credentials are compromised. 6. Educate administrators and developers on secure handling of credentials within development tools and extensions. 7. Monitor Minecraft server logs for unusual remote command execution that could indicate compromise. 8. Consider network segmentation to isolate Minecraft servers from critical infrastructure to reduce potential lateral movement.