CVE-2025-27580

Summary

NIH BRICS (aka Biomedical Research Informatics Computing System) through 14.0.0-67 generates predictable tokens (that depend on username, time, and the fixed 7Dl9#dj- string) and thus allows unauthenticated users with a Common Access Card (CAC) to escalate privileges and compromise any account, including administrators.

Affected Software

VendorProductVersion RangeStatus
NIHBRICS0 <= 14.0.0-67affected

Weaknesses

  • CWE-335: CWE-335 Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG)

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References