CVE-2025-41744
Sprecher Automation: SPRECON-E series has static default key material for TLS connections
In short
The SPRECON-E series devices use the same default encryption keys for all units, allowing anyone with network access to decrypt and intercept all encrypted communications. This puts sensitive operational data at risk.
Technical detail
CWE-1394 (use of hard-coded cryptographic keys) in SPRECON-E series enables unauthenticated remote attackers to decrypt TLS traffic by obtaining publicly known default key material. An unprivileged attacker on the network can perform passive decryption of all encrypted communications, compromising both confidentiality and message integrity without authentication or elevated privileges.
Summary generated and translated by AI from the official description.
Sprecher Automations SPRECON-E series uses default cryptographic keys that allow an unprivileged remote attacker to access all encrypted communications, thereby compromising confidentiality and integrity.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Affected products
Sprecher Automation · SPRECON-E-CSprecher Automation · SPRECON-E-PSprecher Automation · SPRECON-E-T3Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →