CVE-2025-14266 - Vulnerability Details - OpenCVE

CSRF in Ercom Cryptobox administration console allows attacker to trigger some actions on behalf of a Cryptobox administrator. The attack requires the administrator to browse a malicious web site or to click a link while he has an open session on the administration console.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements Present

User Interaction Passive

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Ercom	Cryptobox

No data.

No data.

No data.

References

Link	Providers
https://info.cryptobox.com/doc/v4.39/4.39.en/#fix2

History

Wed, 17 Dec 2025 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 17 Dec 2025 14:00:00 +0000

Type	Values Removed	Values Added
Description		CSRF in Ercom Cryptobox administration console allows attacker to trigger some actions on behalf of a Cryptobox administrator. The attack requires the administrator to browse a malicious web site or to click a link while he has an open session on the administration console.
Title		CSRF in Ercom Cryptobox administration console
First Time appeared		Ercom Ercom cryptobox
Weaknesses		CWE-352
CPEs		cpe:2.3:a:ercom:cryptobox::::::::
Vendors & Products		Ercom Ercom cryptobox
References		https://info.cryptobox.com/doc/v4.39/4.39.en/#fix2
Metrics		cvssV4_0 `{'score': 0.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/AU:N/R:U'}`

MITRE

Status: PUBLISHED

Assigner: THA-PSIRT

Published: 2025-12-17T13:38:22.069Z

Updated: 2025-12-17T14:18:16.552Z

Reserved: 2025-12-08T13:02:54.031Z

Link: CVE-2025-14266

Vulnrichment

Updated: 2025-12-17T14:18:08.546Z

NVD

Status : Received

Published: 2025-12-17T14:15:47.563

Modified: 2025-12-17T14:15:47.563

Link: CVE-2025-14266

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-14266", "assignerOrgId": "9d5917ae-205d-4ae5-8749-1f49479b1395", "state": "PUBLISHED", "assignerShortName": "THA-PSIRT", "dateReserved": "2025-12-08T13:02:54.031Z", "datePublished": "2025-12-17T13:38:22.069Z", "dateUpdated": "2025-12-17T14:18:16.552Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "modules": ["Administration console"], "product": "Cryptobox", "vendor": "Ercom", "versions": [{"lessThan": "4.37.229", "status": "affected", "version": "4.0.0", "versionType": "semver"}, {"lessThan": "4.39.200", "status": "affected", "version": "4.38.0", "versionType": "semver"}]}], "cpeApplicability": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ercom:cryptobox:*:*:*:*:*:*:*:*", "versionEndExcluding": "4.37.229", "versionStartIncluding": "4.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:ercom:cryptobox:*:*:*:*:*:*:*:*", "versionEndExcluding": "3.39.200", "versionStartIncluding": "4.38.0", "vulnerable": true}], "negate": false, "operator": "OR"}], "operator": "OR"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "CSRF in Ercom Cryptobox administration console allows attacker to trigger some actions on behalf of a Cryptobox administrator. The attack requires the administrator to browse a malicious web site or to click a link while he has an open session on the administration console."}], "value": "CSRF in Ercom Cryptobox administration console allows attacker to trigger some actions on behalf of a Cryptobox administrator. The attack requires the administrator to browse a malicious web site or to click a link while he has an open session on the administration console."}], "impacts": [{"capecId": "CAPEC-62", "descriptions": [{"lang": "en", "value": "CAPEC-62 Cross Site Request Forgery"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NO", "Recovery": "USER", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "baseScore": 0.6, "baseSeverity": "LOW", "exploitMaturity": "UNREPORTED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/AU:N/R:U", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "9d5917ae-205d-4ae5-8749-1f49479b1395", "shortName": "THA-PSIRT", "dateUpdated": "2025-12-17T13:51:28.479Z"}, "references": [{"url": "https://info.cryptobox.com/doc/v4.39/4.39.en/#fix2"}], "source": {"discovery": "INTERNAL"}, "title": "CSRF in Ercom Cryptobox administration console", "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-17T14:16:53.526332Z", "id": "CVE-2025-14266", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-17T14:18:16.552Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-14266", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-12-17T14:16:53.526332Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-17T14:18:08.546Z"}}], "cna": {"title": "CSRF in Ercom Cryptobox administration console", "source": {"discovery": "INTERNAL"}, "impacts": [{"capecId": "CAPEC-62", "descriptions": [{"lang": "en", "value": "CAPEC-62 Cross Site Request Forgery"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "USER", "baseScore": 0.6, "Automatable": "NO", "attackVector": "NETWORK", "baseSeverity": "LOW", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/AU:N/R:U", "exploitMaturity": "UNREPORTED", "providerUrgency": "NOT_DEFINED", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Ercom", "modules": ["Administration console"], "product": "Cryptobox", "versions": [{"status": "affected", "version": "4.0.0", "lessThan": "4.37.229", "versionType": "semver"}, {"status": "affected", "version": "4.38.0", "lessThan": "4.39.200", "versionType": "semver"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://info.cryptobox.com/doc/v4.39/4.39.en/#fix2"}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "CSRF in Ercom Cryptobox administration console allows attacker to trigger some actions on behalf of a Cryptobox administrator. The attack requires the administrator to browse a malicious web site or to click a link while he has an open session on the administration console.", "supportingMedia": [{"type": "text/html", "value": "CSRF in Ercom Cryptobox administration console allows attacker to trigger some actions on behalf of a Cryptobox administrator. The attack requires the administrator to browse a malicious web site or to click a link while he has an open session on the administration console.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:ercom:cryptobox:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "4.37.229", "versionStartIncluding": "4.0.0"}, {"criteria": "cpe:2.3:a:ercom:cryptobox:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "3.39.200", "versionStartIncluding": "4.38.0"}], "operator": "OR"}], "operator": "OR"}], "providerMetadata": {"orgId": "9d5917ae-205d-4ae5-8749-1f49479b1395", "shortName": "THA-PSIRT", "dateUpdated": "2025-12-17T13:51:28.479Z"}}}, "cveMetadata": {"cveId": "CVE-2025-14266", "state": "PUBLISHED", "dateUpdated": "2025-12-17T14:18:16.552Z", "dateReserved": "2025-12-08T13:02:54.031Z", "assignerOrgId": "9d5917ae-205d-4ae5-8749-1f49479b1395", "datePublished": "2025-12-17T13:38:22.069Z", "assignerShortName": "THA-PSIRT"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "CSRF in Ercom Cryptobox administration console allows attacker to trigger some actions on behalf of a Cryptobox administrator. The attack requires the administrator to browse a malicious web site or to click a link while he has an open session on the administration console."}], "id": "CVE-2025-14266", "lastModified": "2025-12-17T14:15:47.563", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NO", "Recovery": "USER", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 0.6, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "UNREPORTED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:U/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "psirt@thalesgroup.com", "type": "Secondary"}]}, "published": "2025-12-17T14:15:47.563", "references": [{"source": "psirt@thalesgroup.com", "url": "https://info.cryptobox.com/doc/v4.39/4.39.en/#fix2"}], "sourceIdentifier": "psirt@thalesgroup.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "psirt@thalesgroup.com", "type": "Secondary"}]}