CVE-2025-4876 — MEDIUM (6.0)

Q: How severe is CVE-2025-4876?

CVE-2025-4876 has been rated MEDIUM with a CVSS base score of 6.0/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2025-4876?

Check the references section above for vendor advisories and patch information. Affected products include: Connectwise Risk Assessment.

Vulnerability Description

ConnectWise-Password-Encryption-Utility.exe in ConnectWise Risk Assessment allows an attacker to extract a hardcoded AES decryption key via reverse engineering. This key is embedded in plaintext within the binary and used in cryptographic operations without dynamic key management. Once obtained the key can be used to decrypt CSV input files used for authenticated network scanning.

CVSS Score

6.0

MEDIUM

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality

HIGH

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Connectwise	Risk Assessment	< 2023-07-01

Related Weaknesses (CWE)

CWE-321

References

https://github.com/packetlabs/vulnerability-advisory/blob/main/Disclosures/PL-20Third Party Advisory

FAQ

What is CVE-2025-4876?

CVE-2025-4876 is a vulnerability with a CVSS score of 6.0 (MEDIUM). ConnectWise-Password-Encryption-Utility.exe in ConnectWise Risk Assessment allows an attacker to extract a hardcoded AES decryption key via reverse engineering. This key is embedded in plaintext withi...

How severe is CVE-2025-4876?

CVE-2025-4876 has been rated MEDIUM with a CVSS base score of 6.0/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2025-4876?

Check the references section above for vendor advisories and patch information. Affected products include: Connectwise Risk Assessment.