Cyber Resilience

CVE-2025-12774

Medium

Published: 03 February 2026

Published
03 February 2026
Modified
03 March 2026
KEV Added
Patch
CVSS Score v4 4.6 CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0001 1.1th percentile
Risk Priority 9 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-12774 is a medium-severity Cleartext Storage of Sensitive Information (CWE-312) vulnerability in Broadcom Sannav. Its CVSS base score is 4.6 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Credentials In Files (T1552.001); ranked at the 1.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SC-28 (Protection of Information at Rest).

Deeper analysis

CVE-2025-12774 is a vulnerability in the migration script of Brocade SANnav versions prior to 3.0. The flaw enables the inclusion of database SQL queries within the SANnav supportsave file, potentially exposing sensitive information. This issue is classified under CWE-312 and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact with no requirements for privileges or user interaction.

An attacker who obtains access to a Brocade SANnav supportsave file can exploit this vulnerability by simply opening the file to extract sensitive details, such as database table structures and encrypted passwords. Exploitation requires physical or logical access to the supportsave file, which is typically generated for troubleshooting and support purposes, but the network-accessible vector per CVSS suggests potential for remote acquisition if files are mishandled or exposed.

The Broadcom security advisory at https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36848 provides details on mitigation, including recommendations for upgrading to SANnav 3.0 or later where the issue is addressed. Security practitioners should review the advisory for full patch information and handling instructions for existing supportsave files.

EU & UK References

Vulnerability details

A vulnerability in the migration script for Brocade SANnav before 3.0 could allow the collection of database sql queries in the SANnav support save file. An attacker with access to Brocade SANnav supportsave file, could open the file and then…

more

obtain sensitive information such as details of database tables and encrypted passwords.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1552.001 Credentials In Files Credential Access
Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.
Why these techniques?

Vulnerability directly results in cleartext/embedded sensitive credentials and DB structures inside a generated support file, enabling credential access from local files once the artifact is obtained.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-5462Same vendor: Broadcom
CVE-2019-25279Shared CWE-312
CVE-2025-26495Shared CWE-312
CVE-2025-22896Shared CWE-312
CVE-2026-0383Same vendor: Broadcom
CVE-2025-58383Same vendor: Broadcom
CVE-2025-58382Same vendor: Broadcom
CVE-2024-2240Same vendor: Broadcom
CVE-2025-9711Same vendor: Broadcom
CVE-2024-1509Same vendor: Broadcom

Affected Assets

broadcom
sannav
≤ 3.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires protection of sensitive data (SQL queries, encrypted passwords) stored at rest inside the generated supportsave file.

prevent

Enforces access restrictions so that only authorized users can obtain or open the supportsave file containing the leaked database contents.

MP-4 Media Storage partial match
prevent

Requires secure storage controls for the supportsave file (treated as media) that holds sensitive database information.

References