CVE-2025-3895

Token used for resetting passwords in MegaBIP software are generated using a small space of random values combined with a queryable value. It allows an unauthenticated attacker who know user login names to brute force these tokens and change account passwords (including these belonging to administrators). Version 5.20 of MegaBIP fixes this issue.

CVSS

No CVSS.

References

Link	Resource
https://cert.pl/en/posts/2025/05/CVE-2025-3893
https://megabip.pl/index.php?id=24,145
https://www.gov.pl/web/cyfryzacja/rekomendacja-pelnomocnika-rzadu-ds-cyberbezpieczenstwa-dotyczaca-biuletynow-informacji-publicznej

Configurations

No configuration.

History

15 Apr 2026, 00:35

Type	Values Removed	Values Added
Summary		(es) Los tokens utilizados para restablecer contraseñas en el software MegaBIP se generan mediante un pequeño espacio de valores aleatorios combinado con un valor consultable. Esto permite a un atacante no autenticado que conozca los nombres de usuario de los usuarios acceder a estos tokens mediante fuerza bruta y cambiar las contraseñas de las cuentas (incluidas las de los administradores). La versión 5.20 de MegaBIP soluciona este problema.

23 May 2025, 11:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-05-23 11:15

Updated : 2026-04-15 00:35

NVD link : CVE-2025-3895

Mitre link : CVE-2025-3895

CVE.ORG link : CVE-2025-3895

JSON object : View

Products Affected

No product.

CWE

CWE-334

Small Space of Random Values

{"id": "CVE-2025-3895", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "cvd@cert.pl", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 9.1, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-05-23T11:15:32.957", "references": [{"url": "https://cert.pl/en/posts/2025/05/CVE-2025-3893", "source": "cvd@cert.pl"}, {"url": "https://megabip.pl/index.php?id=24,145", "source": "cvd@cert.pl"}, {"url": "https://www.gov.pl/web/cyfryzacja/rekomendacja-pelnomocnika-rzadu-ds-cyberbezpieczenstwa-dotyczaca-biuletynow-informacji-publicznej", "source": "cvd@cert.pl"}], "vulnStatus": "Deferred", "weaknesses": [{"type": "Secondary", "source": "cvd@cert.pl", "description": [{"lang": "en", "value": "CWE-334"}]}], "descriptions": [{"lang": "en", "value": "Token used for resetting passwords in MegaBIP software\u00a0are generated using a small space of random values combined with a queryable value.\n It allows an unauthenticated attacker who know user login names to brute force these tokens and change account passwords (including these belonging to administrators).\u00a0\nVersion 5.20 of MegaBIP fixes this issue."}, {"lang": "es", "value": "Los tokens utilizados para restablecer contrase\u00f1as en el software MegaBIP se generan mediante un peque\u00f1o espacio de valores aleatorios combinado con un valor consultable. Esto permite a un atacante no autenticado que conozca los nombres de usuario de los usuarios acceder a estos tokens mediante fuerza bruta y cambiar las contrase\u00f1as de las cuentas (incluidas las de los administradores). La versi\u00f3n 5.20 de MegaBIP soluciona este problema."}], "lastModified": "2026-04-15T00:35:42.020", "sourceIdentifier": "cvd@cert.pl"}