CVE-2025-3895

Summary

Token used for resetting passwords in MegaBIP software are generated using a small space of random values combined with a queryable value. It allows an unauthenticated attacker who know user login names to brute force these tokens and change account passwords (including these belonging to administrators).  Version 5.20 of MegaBIP fixes this issue.

Affected Software

VendorProductVersion RangeStatus
Jan SyskiMegaBIP0 <= 5.19affected

Weaknesses

  • CWE-334: CWE-334 Small Space of Random Values

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: total

References