An issue in N3uron Web User Interface v.1.21.7-240207.1047 allows a remote attacker to escalate privileges via the password hashing on the client side using the MD5 algorithm over a predictable string format
The application computes the user password hash on the client side using the MD5 algorithm (classified as cryptographically weak – CWE-327). The hash is created based on a predictable string format, which allows an attacker to reproduce or craft a correct hash without knowledge of the original password. This enables a remote attacker to impersonate a privileged user and obtain a higher level of access in the application.
An attacker can remotely escalate their privileges in the N3Uron web interface, potentially gaining full control over the application and industrial resources managed by it (confidentiality, integrity, and availability are fully compromised according to the CVSS vector).
Apply patches available from the manufacturer according to the references (https://n3uron.com/addressing-cve-2025-69929-in-n3uron-web-user-interface/). The manufacturer has published a dedicated article describing how to eliminate the vulnerability.
N3Uron Web User Interface version 1.21.7-240207.1047
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HN3uron Web User Interface
APPN3Uron1.21.13-250422.08581.21.6-230825.17201.21.7-240207.1047