CVE-2025-12680

Brocade SANnav before Brocade SANnav 2.4.0b logs database passwords in clear text in the standby SANnav server, after disaster recovery failover. The vulnerability could allow a remote authenticated attacker with admin privilege able to access the SANnav logs or the supportsave to read the database password.

CVSS v3 4.9 MEDIUM

4.9^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.2 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36844	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:broadcom:sannav:*:*:*:*:*:*:*:*

History

03 Mar 2026, 01:02

Type	Values Removed	Values Added
First Time		Broadcom Broadcom sannav
CPE		cpe:2.3:a:broadcom:sannav::::::::
References	~~() https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36844 -~~	() https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36844 - Vendor Advisory
Summary		(es) Brocade SANnav anterior a Brocade SANnav 2.4.0b registra las contraseñas de la base de datos en texto claro en el servidor SANnav en espera, después de una conmutación por error de recuperación ante desastres. La vulnerabilidad podría permitir a un atacante remoto autenticado con privilegios de administrador, capaz de acceder a los registros de SANnav o al supportsave, leer la contraseña de la base de datos.
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 4.9

02 Feb 2026, 23:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-02-02 23:15

Updated : 2026-03-03 01:02

NVD link : CVE-2025-12680

Mitre link : CVE-2025-12680

CVE.ORG link : CVE-2025-12680

JSON object : View

Products Affected

broadcom

sannav

CWE

CWE-256

Plaintext Storage of a Password

CWE-312

Cleartext Storage of Sensitive Information

{"id": "CVE-2025-12680", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 1.2}], "cvssMetricV40": [{"type": "Secondary", "source": "sirt@brocade.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.0, "Automatable": "NOT_DEFINED", "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:P/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "HIGH", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-02-02T23:15:58.280", "references": [{"url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36844", "tags": ["Vendor Advisory"], "source": "sirt@brocade.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "sirt@brocade.com", "description": [{"lang": "en", "value": "CWE-256"}, {"lang": "en", "value": "CWE-312"}]}], "descriptions": [{"lang": "en", "value": "Brocade SANnav before Brocade SANnav 2.4.0b logs database passwords in clear text in the standby SANnav server, after disaster recovery failover. The vulnerability could allow a remote authenticated attacker with admin privilege able to access the SANnav logs or the supportsave to read the database password."}, {"lang": "es", "value": "Brocade SANnav anterior a Brocade SANnav 2.4.0b registra las contrase\u00f1as de la base de datos en texto claro en el servidor SANnav en espera, despu\u00e9s de una conmutaci\u00f3n por error de recuperaci\u00f3n ante desastres. La vulnerabilidad podr\u00eda permitir a un atacante remoto autenticado con privilegios de administrador, capaz de acceder a los registros de SANnav o al supportsave, leer la contrase\u00f1a de la base de datos."}], "lastModified": "2026-03-03T01:02:34.947", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:broadcom:sannav:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "83338795-8BD8-4EC8-BFBA-2660F8150BEE", "versionEndExcluding": "2.4.0b"}], "operator": "OR"}]}], "sourceIdentifier": "sirt@brocade.com"}