{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2025-2772","assignerOrgId":"99f1926a-a320-47d8-bbb5-42feb611262e","state":"PUBLISHED","assignerShortName":"zdi","dateReserved":"2025-03-24T19:44:31.977Z","datePublished":"2025-04-23T16:52:23.349Z","dateUpdated":"2025-04-23T17:49:13.439Z"},"containers":{"cna":{"providerMetadata":{"orgId":"99f1926a-a320-47d8-bbb5-42feb611262e","shortName":"zdi","dateUpdated":"2025-04-23T16:52:23.349Z"},"title":"BEC Technologies Multiple Routers Insufficiently Protected Credentials Information Disclosure Vulnerability","descriptions":[{"lang":"en","value":"BEC Technologies Multiple Routers Insufficiently Protected Credentials Information Disclosure Vulnerability. This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of BEC Technologies routers. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within /cgi-bin/tools_usermanage.asp. The issue results from transmitting a list of users and their credentials to be handled on the client side. An attacker can leverage this vulnerability to disclose transported credentials, leading to further compromise. Was ZDI-CAN-25895."}],"affected":[{"vendor":"BEC Technologies","product":"Multiple Routers","versions":[{"version":"1.04.1.512, 1.04.1.542","status":"affected"}],"defaultStatus":"unknown"}],"problemTypes":[{"descriptions":[{"lang":"en","cweId":"CWE-522","description":"CWE-522: Insufficiently Protected Credentials","type":"CWE"}]}],"references":[{"url":"https://www.zerodayinitiative.com/advisories/ZDI-25-185/","name":"ZDI-25-185","tags":["x_research-advisory"]}],"dateAssigned":"2025-03-24T19:44:32.005Z","datePublic":"2025-03-25T23:23:16.242Z","source":{"lang":"en","value":"Steven C Yu of Trend Micro Research"},"metrics":[{"format":"CVSS","cvssV3_0":{"version":"3.0","vectorString":"CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N","baseScore":5.3,"baseSeverity":"MEDIUM"}}]},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2025-04-23T17:49:02.558052Z","id":"CVE-2025-2772","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2025-04-23T17:49:13.439Z"}}]}}