CVE-2025-52373
Published: 21 July 2025
Summary
CVE-2025-52373 is a medium-severity Use of Hard-coded Cryptographic Key (CWE-321) vulnerability in Hmailserver Hmailserver. Its CVSS base score is 4.6 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Credentials In Files (T1552.001); ranked at the 32.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-22113
Vulnerability details
Use of hardcoded cryptographic key in BlowFish.cpp in hMailServer 5.8.6 and 5.6.9-beta allows attacker to decrypt passwords used in database connections from hMailServer.ini config file.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The hardcoded Blowfish key enables decryption of database and admin passwords stored in hMailServer.ini and related config files (T1552.001), facilitating subsequent access to and export of credentials and data from the encrypted hMailServer.sdf database (T1213.006).
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Supply chain protection includes scrutiny of cryptographic implementations, reducing hard-coded keys planted by untrusted vendors.
Functional and assurance requirements specified in acquisition can prohibit hard-coded cryptographic keys in delivered products.
Proper key establishment and management processes directly preclude embedding static cryptographic keys in source code or binaries.
Approved PKI issuance and trust stores replace ad-hoc or hard-coded keys with properly managed, signed certificates.
Assessments can uncover and prevent suppliers from shipping components that contain hard-coded cryptographic keys.