CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2024-36496: Hardcoded Credentials

Description

The configuration file is encrypted with a static key derived from a
static five-character password which allows an attacker to decrypt this
file. The application hashes this five-character password with
the outdated and broken MD5 algorithm (no salt) and uses the first five
bytes as the key for RC4. The configuration file is then encrypted with
these parameters.

Classification

CVE ID: CVE-2024-36496

Affected Products

Vendor: Faronics

Product: WINSelect (Standard + Enterprise)

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.05% (probability of being exploited)

EPSS Percentile: 18.39% (scored less or equal to compared to others)

EPSS Date: 2025-03-14 (when was this score calculated)

References

https://r.sec-consult.com/winselect
https://www.faronics.com/en-uk/document-library/document/winselect-standard-release-notes
http://seclists.org/fulldisclosure/2024/Jun/12

Timeline

2025-02-14 00:32:18 UTC
CVE

Hardcoded Credentials