Main Vulnerability Database SB2025042319

SB2025042319 - Use of Cryptographically Weak Pseudo-Random Number Generator in Delta Electronics COMMGR

Published: April 23, 2025 Updated: June 20, 2025

Security Bulletin ID SB2025042319

Severity

High

Patch available

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) (CVE-ID: CVE-2025-3495)

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to the affected software uses insufficiently randomized values to generate session IDs within the PLC simulator service. A remote attacker can brute force a session ID and execute arbitrary code on the system.

Remediation

Cybersecurity Help is not aware of any official remediation provided by the vendor.

References

https://filecenter.deltaww.com/news/download/doc/Delta-PCSA-2025-00005_COMMGR%20-%20Insufficient%20Randomization%20Authentication%20Bypass_v1.pdf
https://www.cisa.gov/news-events/ics-advisories/icsa-25-105-07
https://www.zerodayinitiative.com/advisories/ZDI-25-397/