fkie_cve-2025-52492
Vulnerability from fkie_nvd
Published
2025-07-07 16:15
Modified
2025-07-08 18:15
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
A vulnerability has been discovered in the firmware of Paxton Paxton10 before 4.6 SR6. The firmware file, rootfs.tar.gz, contains hard-coded credentials for the Twilio API. A remote attacker who obtains a copy of the firmware can extract these credentials. This could allow the attacker to gain unauthorized access to the associated Twilio account, leading to information disclosure, potential service disruption, and unauthorized use of the Twilio services.
References
cve@mitre.orghttps://gist.github.com/jackcaplin/0dfb7ef428b8ade5de4396dd753cd894
cve@mitre.orghttps://paxton-access.co.uk
Impacted products
Vendor Product Version


To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A vulnerability has been discovered in the firmware of Paxton Paxton10 before 4.6 SR6. The firmware file, rootfs.tar.gz, contains hard-coded credentials for the Twilio API. A remote attacker who obtains a copy of the firmware can extract these credentials. This could allow the attacker to gain unauthorized access to the associated Twilio account, leading to information disclosure, potential service disruption, and unauthorized use of the Twilio services."
    },
    {
      "lang": "es",
      "value": "Se ha descubierto una vulnerabilidad en el firmware de Paxton Paxton10 anterior a la versi\u00f3n 4.6 SR6. El archivo de firmware, rootfs.tar.gz, contiene credenciales predefinidas para la API de Twilio. Un atacante remoto que obtenga una copia del firmware puede extraer estas credenciales. Esto podr\u00eda permitirle obtener acceso no autorizado a la cuenta de Twilio asociada, lo que podr\u00eda provocar la divulgaci\u00f3n de informaci\u00f3n, la posible interrupci\u00f3n del servicio y el uso no autorizado de los servicios de Twilio."
    }
  ],
  "id": "CVE-2025-52492",
  "lastModified": "2025-07-08T18:15:40.190",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-07-07T16:15:24.233",
  "references": [
    {
      "source": "cve@mitre.org",
      "url": "https://gist.github.com/jackcaplin/0dfb7ef428b8ade5de4396dd753cd894"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://paxton-access.co.uk"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-798"
        }
      ],
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.