CVE-2025-3895

Low token entropy in MegaBIP

CVSS 9.1 CRITICALEPSS 0.4%CWE-334

Token used for resetting passwords in MegaBIP software are generated using a small space of random values combined with a queryable value. It allows an unauthenticated attacker who know user login names to brute force these tokens and change account passwords (including these belonging to administrators). Version 5.20 of MegaBIP fixes this issue.

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Affected products

Jan Syski · MegaBIP

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://cert.pl/en/posts/2025/05/CVE-2025-3893 https://megabip.pl/index.php?id=24,145 https://www.gov.pl/web/cyfryzacja/rekomendacja-pelnomocnika-rzadu-ds-cyberbezpieczenstwa-dotyczaca-biuletynow-informacji-publicznej