CVE-2025-40680 MEDIUM

CVE-2025-40680: Encryption of sensitive data in CapillaryScope missing

Vendor Capillary Io
Product CapillaryScope
Weakness CWE-311 · Missing encryption
Published July 24, 2025
Last update July 24, 2025

CVSS base score

6.9/10
Attack vector Local
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Lack of sensitive data encryption in CapillaryScope v2.5.0 of Capillary io, which stores both the proxy credentials and the JWT session token in plain text within different registry keys on the Windows operating system. Any authenticated local user with read access to the registry can extract these sensitive values.

Key dates

02Disclosure timeline

July 24, 2025 CVE published
July 24, 2025 Record updated