CVE-2025-48931
CVE-2025-48931 is a low-severity vulnerability in Smarsh Telemessage with a CVSS 3.x base score of 3.2. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-328.
Key facts
- Severity: Low (CVSS 3.x base score 3.2)
- EPSS exploit prediction: 0% (1st percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2025-16209
- Weakness: CWE-328
- Affected product: Smarsh Telemessage
- Published:
- Last modified:
Description
The TeleMessage service through 2025-05-05 relies on MD5 for password hashing, which opens up various attack possibilities (including rainbow tables) with low computational effort.
Frequently asked questions
- What is CVE-2025-48931?
- The TeleMessage service through 2025-05-05 relies on MD5 for password hashing, which opens up various attack possibilities (including rainbow tables) with low computational effort.
- How severe is CVE-2025-48931?
- CVE-2025-48931 has a CVSS 3.x base score of 3.2, rated low severity. It is exploitable over local access with high attack complexity, requires no privileges and no user interaction. Impact on confidentiality is low, integrity none, and availability none.
- Is CVE-2025-48931 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (1st percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2025-48931?
- CVE-2025-48931 affects Smarsh Telemessage. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2025-48931?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- Does CVE-2025-48931 have an EU (EUVD) identifier?
- Yes. CVE-2025-48931 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2025-16209.
- When was CVE-2025-48931 published?
- CVE-2025-48931 was published on 2025-05-28 and last updated on 2026-06-17.
References
Affected products (1)
- cpe:2.3:a:smarsh:telemessage:*:*:*:*:*:*:*:*
More vulnerabilities in Smarsh Telemessage
- CVE-2025-48927 — Medium (CVSS 5.3): The TeleMessage service through 2025-05-05 configures Spring Boot Actuator with an exposed heap dump endpoint at a…
- CVE-2025-47730 — Medium (CVSS 4.8): The TeleMessage archiving backend through 2025-05-05 accepts API calls (to request an authentication token) from the TM…
- CVE-2025-48926 — Medium (CVSS 4.3): The admin panel in the TeleMessage service through 2025-05-05 allows attackers to discover usernames, e-mail addresses,…
- CVE-2025-48925 — Medium (CVSS 4.3): The TeleMessage service through 2025-05-05 relies on the client side (e.g., the TM SGNL app) to do MD5 hashing, and…
- CVE-2025-48929 — Medium (CVSS 4.0): The TeleMessage service through 2025-05-05 implements authentication through a long-lived credential (e.g., not a token…
- CVE-2025-48928 — Medium (CVSS 4.0): The TeleMessage service through 2025-05-05 is based on a JSP application in which the heap content is roughly…
All CVEs affecting Smarsh Telemessage →
Other CWE-328 vulnerabilities
- CVE-2026-36182 — Critical (CVSS 9.8): GNCC GP5 v7.1.76 was discovered to utilize a weak hashing algorithm to protect the root password, possibly allowing…
- CVE-2020-37168 — Critical (CVSS 9.8): Ecommerce Systempay 1.0 contains a weak cryptographic implementation vulnerability that allows attackers to brute force…
- CVE-2025-41652 — Critical (CVSS 9.8): The devices are vulnerable to an authentication bypass due to flaws in the authorization mechanism. An unauthenticated…
- CVE-2025-27595 — Critical (CVSS 9.8): The device uses a weak hashing alghorithm to create the password hash. Hence, a matching password can be easily…
- CVE-2022-45141 — Critical (CVSS 9.8): Since the Windows Kerberos RC4-HMAC Elevation of Privilege Vulnerability was disclosed by Microsoft on Nov 8 2022 and…
- CVE-2023-0452 — Critical (CVSS 9.8): Econolite EOS versions prior to 3.2.23 use a weak hash algorithm for encrypting privileged user credentials. A…