CVE-2025-27508
Published: 05 March 2025
Summary
CVE-2025-27508 is a high-severity Use of a Broken or Risky Cryptographic Algorithm (CWE-327) vulnerability. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Transmitted Data Manipulation (T1565.002); ranked at the 32.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-13 (Cryptographic Protection) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-2 requires timely identification, reporting, and remediation of system flaws like CVE-2025-27508, directly addressing the weak algorithms in ChecksumCalculator by applying the fix in Emissary 8.24.0.
SC-13 mandates the use of organization-defined cryptographic mechanisms excluding weak algorithms like SHA-1, CRC32, and SSDEEP, preventing their application in checksum generation for data integrity.
SI-7 requires software integrity verification using robust mechanisms, mitigating risks from weak checksums by detecting alterations or enforcing stronger hashing in Emissary workflows.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables bypassing weak checksum validations (SHA-1, CRC32, SSDEEP) to generate collisions and manipulate data integrity in P2P workflows, directly facilitating transmitted data manipulation.
NVD Description
Emissary is a P2P based data-driven workflow engine. The ChecksumCalculator class within allows for hashing and checksum generation, but it includes or defaults to algorithms that are no longer recommended for secure cryptographic use cases (e.g., SHA-1, CRC32, and SSDEEP).…
more
These algorithms, while possibly valid for certain non-security-critical tasks, can expose users to security risks if used in scenarios where strong cryptographic guarantees are required. This issue is fixed in 8.24.0.
Deeper analysisAI
CVE-2025-27508 affects Emissary, a peer-to-peer (P2P) based data-driven workflow engine developed by the National Security Agency. The vulnerability resides in the ChecksumCalculator class, which supports hashing and checksum generation using algorithms that are no longer recommended for secure cryptographic applications, such as SHA-1, CRC32, and SSDEEP. While these may suffice for non-security-critical tasks, their use in scenarios requiring strong cryptographic integrity can lead to risks like hash collisions or weak verification, tracked under CWE-327 (Broken Cryptographic Algorithms). The issue carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) and was published on March 5, 2025.
Attackers can exploit this vulnerability remotely over the network with low complexity, requiring no privileges, user interaction, or special setup. Exploitation targets the integrity (I:H) aspect, potentially allowing adversaries to manipulate data by generating collisions or bypassing checksum validations in Emissary workflows, without impacting confidentiality or availability. Any unauthenticated network actor interacting with Emissary instances using the affected ChecksumCalculator could achieve this, compromising the trustworthiness of data processing in P2P environments.
The GitHub security advisory (GHSA-hw43-fcmm-3m5g) and associated commit (da3a81a8977577597ff2a944820a5ae4e9762368) confirm the fix in Emissary version 8.24.0, recommending immediate upgrades to eliminate the weak algorithms. Practitioners should review deployments for prior versions and audit usage of ChecksumCalculator to ensure it aligns with security requirements.
Details
- CWE(s)