CVE-2025-22896

High

Published: 13 February 2025

Published

13 February 2025

Modified

04 March 2025

KEV Added

—

Patch

—

CVSS Score 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

EPSS Score 0.3324 96.9th percentile

Risk Priority 37 60% EPSS · 20% KEV · 20% CVSS

Description

mySCADA myPRO Manager stores credentials in cleartext, which could allow an attacker to obtain sensitive information.

Security Summary

CVE-2025-22896 is a vulnerability in mySCADA myPRO Manager, published on 2025-02-13, where the software stores credentials in cleartext. This issue, linked to CWE-312 (Cleartext Storage of Sensitive Information), carries a CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N), reflecting high severity primarily due to the risk of sensitive information disclosure.

The vulnerability can be exploited by any unauthenticated attacker with network access to the affected system, requiring low complexity and no user interaction. Exploitation enables the attacker to access and extract credentials stored in cleartext, resulting in high-impact confidentiality loss across the scoped impact.

Mitigation details are available in the CISA ICS advisory ICSA-25-044-16 at https://www.cisa.gov/news-events/ics-advisories/icsa-25-044-16, along with mySCADA contacts at https://www.myscada.org/contacts/ and downloads at https://www.myscada.org/downloads/mySCADAPROManager/.

Details

CWE(s): CWE-312

Affected Products

myscada

mypro

≤ 1.4

References

https://www.cisa.gov/news-events/ics-advisories/icsa-25-044-16
Third Party Advisory, US Government Resource · ics-cert@hq.dhs.gov
https://www.myscada.org/contacts/
Product · ics-cert@hq.dhs.gov
https://www.myscada.org/downloads/mySCADAPROManager/
Product · ics-cert@hq.dhs.gov