Use of a broken or risky cryptographic algorithm in emissary - CVE-2025-27508
Published: March 5, 2025 / Updated: April 7, 2026
Vulnerability identifier: #VU125042
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2025-27508
CWE-ID: CWE-327
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: National Security Agency
Affected software:
emissary
emissary
Detailed vulnerability description
The vulnerability allows a remote attacker to bypass naive integrity checks.
The vulnerability exists due to use of a broken or risky cryptographic algorithm in the ChecksumCalculator class when generating hashes or checksums for security-sensitive purposes. A remote attacker can craft inputs with colliding or manipulable values to bypass naive integrity checks.
The issue is associated with the default use of SHA-1 and the availability of CRC32 and SSDEEP, which may be misused in contexts requiring strong cryptographic guarantees.
How to mitigate CVE-2025-27508
Install security update from vendor's website.