CVE-2025-10542
Published: 25 September 2025
Summary
CVE-2025-10542 is a critical-severity Use of Default Credentials (CWE-1392) vulnerability in Sec Consult (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Default Accounts (T1078.001); ranked at the 39.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and IA-5 (Authenticator Management).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires changing default authenticators prior to first use, preventing attackers from authenticating with the shipped default administrative credentials.
Mandates account management practices including disabling unnecessary accounts and changing credentials upon creation or enablement, eliminating reliance on default administrative accounts.
Establishes and enforces secure configuration settings that prohibit the use of default credentials in the EAM server deployment.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Default credentials shipped visibly in client and unchanged enable direct use of valid default accounts for remote authentication and full server control.
NVD Description
iMonitor EAM 9.6394 ships with default administrative credentials that are also displayed within the management client’s connection dialog. If the administrator does not change these defaults, a remote attacker can authenticate to the EAM server and gain full control over…
more
monitored agents and data. This enables reading highly sensitive telemetry (including keylogger output) and issuing arbitrary actions to all connected clients.
Deeper analysisAI
CVE-2025-10542 is a critical vulnerability in iMonitor EAM version 9.6394, where the software ships with default administrative credentials that are visibly displayed within the management client’s connection dialog. If administrators fail to change these defaults, the flaw allows unauthorized authentication to the EAM server. Published on 2025-09-25, it is rated 9.8 on the CVSS v3.1 scale (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-1392.
A remote attacker requires only network access to the EAM server and knowledge of the unchanged default credentials, with no privileges, user interaction, or special conditions needed. Successful exploitation grants full control over the server, monitored agents, and associated data, enabling the attacker to read highly sensitive telemetry—including keylogger output—and issue arbitrary actions to all connected clients.
Advisories detailing the vulnerability, including mitigation guidance, are available from SEC Consult at https://sec-consult.com/vulnerability-lab/advisory/multiple-vulnerabilities-in-imonitorsoft-eam/, https://r.sec-consult.com/imonitor, and http://seclists.org/fulldisclosure/2025/Sep/72.
Details
- CWE(s)