Cyber Resilience

CVE-2025-52373

MediumPublic PoC

Published: 21 July 2025

Published
21 July 2025
Modified
07 August 2025
KEV Added
Patch
CVSS Score v3.1 4.6 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
EPSS Score 0.0013 32.5th percentile
Risk Priority 9 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-52373 is a medium-severity Use of Hard-coded Cryptographic Key (CWE-321) vulnerability in Hmailserver Hmailserver. Its CVSS base score is 4.6 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Credentials In Files (T1552.001); ranked at the 32.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

EU & UK References

Vulnerability details

Use of hardcoded cryptographic key in BlowFish.cpp in hMailServer 5.8.6 and 5.6.9-beta allows attacker to decrypt passwords used in database connections from hMailServer.ini config file.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1552.001 Credentials In Files Credential Access
Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.
T1213.006 Databases Collection
Adversaries may leverage databases to mine valuable information.
Why these techniques?

The hardcoded Blowfish key enables decryption of database and admin passwords stored in hMailServer.ini and related config files (T1552.001), facilitating subsequent access to and export of credentials and data from the encrypted hMailServer.sdf database (T1213.006).

Affected Assets

hmailserver
hmailserver
5.6.9, 5.8.6

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-321

Supply chain protection includes scrutiny of cryptographic implementations, reducing hard-coded keys planted by untrusted vendors.

addresses: CWE-321

Functional and assurance requirements specified in acquisition can prohibit hard-coded cryptographic keys in delivered products.

addresses: CWE-321

Proper key establishment and management processes directly preclude embedding static cryptographic keys in source code or binaries.

addresses: CWE-321

Approved PKI issuance and trust stores replace ad-hoc or hard-coded keys with properly managed, signed certificates.

addresses: CWE-321

Assessments can uncover and prevent suppliers from shipping components that contain hard-coded cryptographic keys.

References