CVE-2025-2265

High

Published: 13 March 2025

Published

13 March 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0006 19.6th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-2265 is a high-severity Use of Password Hash With Insufficient Computational Effort (CWE-916) vulnerability. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Credentials In Files (T1552.001); ranked at the 19.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and IA-5 (Authenticator Management).

Threat & Defense at a Glance

What attackers do: exploitation maps to Credentials In Files (T1552.001). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

IA-5 Authenticator Management good match

prevent

Directly requires management of authenticators with sufficient strength of mechanism and protection from unauthorized disclosure, addressing the flawed zero-padding, SHA1 hashing, and truncation in password storage.

SI-2 Flaw Remediation good match

prevent

Mandates identification, reporting, testing, and timely installation of updates to remediate flaws like the truncated password hash storage in Sante PACS Server.exe.

AC-6 Least Privilege good match

prevent

Enforces least privilege to prevent low-privilege local attackers from accessing the SQLite HTTP.db containing the vulnerable password hashes.

MITRE ATT&CK Enterprise TechniquesAI

T1552.001 Credentials In Files Credential Access

Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.

attack.mitre.org →

Why these techniques?

The vulnerability is a flawed password hashing/storage mechanism (truncation on zero bytes in SHA1 hash) in an application database file, directly enabling local attackers to compromise and recover web user credentials.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

NVD Description

The password of a web user in "Sante PACS Server.exe" is zero-padded to 0x2000 bytes, SHA1-hashed, base64-encoded, and stored in the USER table in the SQLite database HTTP.db. However, the number of hash bytes encoded and stored is truncated if…

the hash contains a zero byte

Deeper analysisAI

CVE-2025-2265 is a vulnerability in Sante PACS Server.exe, published on 2025-03-13, affecting the password storage mechanism for web users. Passwords are zero-padded to 0x2000 bytes, SHA1-hashed, base64-encoded, and stored in the USER table of the SQLite database HTTP.db. However, if the hash contains a zero byte, the number of encoded and stored hash bytes is truncated, as associated with CWE-916. The issue has a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

The vulnerability can be exploited by a local attacker with low privileges (PR:L), requiring low attack complexity and no user interaction. Successful exploitation enables high-impact consequences on confidentiality, integrity, and availability, potentially allowing the attacker to compromise user credentials or escalate control over the affected system due to the flawed hashing process.

Mitigation details are provided in the Tenable research advisory at https://www.tenable.com/security/research/tra-2025-08.

Details

CWE(s): CWE-916

CVEs Like This One

CVE-2024-5743Shared CWE-916

CVE-2026-30789Shared CWE-916

CVE-2026-30790Shared CWE-916

References

https://www.tenable.com/security/research/tra-2025-08
vulnreport@tenable.com