CVE-2025-3426

We observed that Intellispace Portal binaries doesn’t have any protection mechanisms to prevent reverse engineering. Specifically, the app’s code is not obfuscated, and no measures are in place to protect against decompilation, disassembly, or debugging. As a result, attackers can reverse-engineer the application to gain insights into its internal workings, which can potentially lead to the discovery of sensitive information, business logic flaws, and other vulnerabilities. Utilizing this flaw, the attacker was able to identify the Hardcoded credentials from PortalUsersDatabase.dll, which contains .NET remoting definition. Inside the namespace PortalUsersDatabase, the class Users contains the functions CreateAdmin and CreateService that are used to initialize accounts in the Portal service. Both CreateAdmin and CreateService functions contain a hardcoded encrypted password along with its respective salt that are set with the function SetInitialPasswordAndSalt. This issue affects IntelliSpace Portal: 12 and prior; Advanced Visualization Workspace: 15.

CVSS

No CVSS.

References

Link	Resource
https://www.cve.org/CVERecord?id=CVE-2025-3426
https://www.philips.com/a-w/security/security-advisories.html#security_advisories

Configurations

No configuration.

History

No history.

Information

Published : 2025-04-07 17:15

Updated : 2025-04-10 16:15

NVD link : CVE-2025-3426

Mitre link : CVE-2025-3426

CVE.ORG link : CVE-2025-3426

JSON object : View

Products Affected

No product.

CWE

CWE-798

Use of Hard-coded Credentials

{"id": "CVE-2025-3426", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "20705f08-db8b-4497-8f94-7eea62317651", "cvssData": {"Safety": "PRESENT", "version": "4.0", "Recovery": "USER", "baseScore": 7.2, "Automatable": "YES", "attackVector": "LOCAL", "baseSeverity": "HIGH", "valueDensity": "CONCENTRATED", "vectorString": "CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:Y/R:U/V:C/RE:M/U:Green", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "GREEN", "userInteraction": "NONE", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "MODERATE", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-04-07T17:15:40.073", "references": [{"url": "https://www.cve.org/CVERecord?id=CVE-2025-3426", "source": "20705f08-db8b-4497-8f94-7eea62317651"}, {"url": "https://www.philips.com/a-w/security/security-advisories.html#security_advisories", "source": "20705f08-db8b-4497-8f94-7eea62317651"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "20705f08-db8b-4497-8f94-7eea62317651", "description": [{"lang": "en", "value": "CWE-798"}]}], "descriptions": [{"lang": "en", "value": "We observed that Intellispace Portal binaries doesn\u2019t have any protection mechanisms to prevent reverse engineering. Specifically, the app\u2019s code is not obfuscated, and no measures are in place to protect against decompilation, disassembly, or debugging. As a result, attackers can reverse-engineer the application to gain insights into its internal workings, which can potentially lead to the discovery of sensitive information, business logic flaws, and other vulnerabilities.\nUtilizing this flaw, the attacker was able to identify the Hardcoded credentials from PortalUsersDatabase.dll, which contains .NET remoting definition. Inside the namespace PortalUsersDatabase, the class Users contains the functions CreateAdmin and CreateService that are used to initialize accounts in the Portal service. Both CreateAdmin and CreateService functions contain a hardcoded encrypted password along with its respective salt that are set with the function SetInitialPasswordAndSalt.\nThis issue affects IntelliSpace Portal: 12 and prior; Advanced Visualization Workspace: 15."}, {"lang": "es", "value": "Observamos que los binarios de Intellispace Portal carecen de mecanismos de protecci\u00f3n para evitar la ingenier\u00eda inversa. En concreto, el c\u00f3digo de la aplicaci\u00f3n no est\u00e1 ofuscado y no existen medidas de protecci\u00f3n contra la descompilaci\u00f3n, el desensamblado ni la depuraci\u00f3n. Como resultado, los atacantes pueden aplicar ingenier\u00eda inversa a la aplicaci\u00f3n para obtener informaci\u00f3n sobre su funcionamiento interno, lo que podr\u00eda conducir al descubrimiento de informaci\u00f3n confidencial, fallos de l\u00f3gica de negocio y otras vulnerabilidades. Aprovechando esta vulnerabilidad, el atacante pudo identificar las credenciales codificadas de PortalUsersDatabase.dll, que contiene la definici\u00f3n de comunicaci\u00f3n remota .NET. Dentro del espacio de nombres PortalUsersDatabase, la clase Users contiene las funciones CreateAdmin y CreateService, que se utilizan para inicializar cuentas en el servicio Portal. Ambas funciones, CreateAdmin y CreateService, contienen una contrase\u00f1a cifrada codificada junto con su respectiva sal, que se configura con la funci\u00f3n SetInitialPasswordAndSalt. Este problema afecta a IntelliSpace Portal: versi\u00f3n 12 y anteriores; Advanced Visualization Workspace: versi\u00f3n 15."}], "lastModified": "2025-04-10T16:15:29.460", "sourceIdentifier": "20705f08-db8b-4497-8f94-7eea62317651"}