CVE-2025-3895: Low token entropy in MegaBIP

9.1 CVSS

Description

Token used for resetting passwords in MegaBIP software are generated using a small space of random values combined with a queryable value.
It allows an unauthenticated attacker who know user login names to brute force these tokens and change account passwords (including these belonging to administrators). 
Version 5.20 of MegaBIP fixes this issue.

Classification

CVE ID: CVE-2025-3895

CVSS Base Severity: CRITICAL

CVSS Base Score: 9.1

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Problem Types

CWE-334 Small Space of Random Values

Affected Products

Vendor: Jan Syski

Product: MegaBIP

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.08% (probability of being exploited)

EPSS Percentile: 24.82% (scored less or equal to compared to others)

EPSS Date: 2025-06-06 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-3895
https://cert.pl/en/posts/2025/05/CVE-2025-3893
https://megabip.pl/index.php?id=24
145
https://www.gov.pl/web/cyfryzacja/rekomendacja-pelnomocnika-rzadu-ds-cyberbezpieczenstwa-dotyczaca-biuletynow-informacji-publicznej

Timeline