CVE-2025-3495 | THREATINT

Description

Delta Electronics COMMGR v1 and v2 uses insufficiently randomized values to generate session IDs (CWE-338). An attacker could easily brute force a session ID and load and execute arbitrary code.

Reserved 2025-04-10 | Published 2025-04-16 | Updated 2025-08-19 | Assigner Deltaww

CRITICAL: 9.8CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Problem types

CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)

Product status

Default status

unaffected

Any version

affected

Timeline

2024-12-16:	Reported
2025-04-15:	Advisory v1 published; Still working on fixing the vulnerability
2025-07-07:	New version of COMMGR v2.10.0 has been released.

References

filecenter.deltaww.com/...ation Authentication Bypass_v1.pdf

www.cisa.gov/news-events/ics-advisories/icsa-25-105-07

cve.org (CVE-2025-3495)

nvd.nist.gov (CVE-2025-3495)

Download JSON