CVE-2025-15016
Published: 22 December 2025
Description
Enterprise Cloud Database developed by Ragic has a Hard-coded Cryptographic Key vulnerability, allowing unauthenticated remote attackers to exploit the fixed key to generate verification information and log into the system as any user.
Mitigating Controls (NIST 800-53 r5)AI
SC-12 requires secure establishment and management of cryptographic keys, directly preventing the use of hard-coded keys for authentication verification.
IA-5 mandates management of authenticators including cryptographic keys used to generate login verification information, mitigating hard-coding vulnerabilities.
SI-2 ensures timely identification, reporting, and correction of flaws like hard-coded cryptographic keys, remediating the specific CVE to prevent exploitation.
Security SummaryAI
CVE-2025-15016 is a hard-coded cryptographic key vulnerability (CWE-321) affecting the Enterprise Cloud Database developed by Ragic. Published on 2025-12-22, the issue stems from a fixed key that undermines authentication mechanisms, earning a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Unauthenticated remote attackers can exploit this vulnerability over the network with low attack complexity and no privileges or user interaction required. By using the fixed key, they can generate valid verification information to log into the system as any user, enabling full unauthorized access.
Advisories from TWCERT/CC, available at https://www.twcert.org.tw/en/cp-139-10588-771e5-2.html and https://www.twcert.org.tw/tw/cp-132-10587-797c6-1.html, provide further details on the vulnerability and recommended mitigations.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a hard-coded cryptographic key in a public-facing Enterprise Cloud Database, enabling unauthenticated remote attackers to bypass authentication and gain full unauthorized access, directly mapping to exploitation of public-facing applications.