CVE-2025-3895 CRITICAL

CVE-2025-3895: Low token entropy in MegaBIP

Vendor Jan Syski
Product MegaBIP
Weakness CWE-334
Published May 23, 2025
Last update May 23, 2025

CVSS base score

9.1/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Token used for resetting passwords in MegaBIP software are generated using a small space of random values combined with a queryable value. It allows an unauthenticated attacker who know user login names to brute force these tokens and change account passwords (including these belonging to administrators).  Version 5.20 of MegaBIP fixes this issue.

Key dates

02Disclosure timeline

May 23, 2025 CVE published
May 23, 2025 Record updated