CVE-2025-0714

Insecure storage of sensitive information in MobaXTerm <25.0.

Description

The vulnerability exists in the password storage of Mobateks MobaXterm in versions below 25.0. MobaXTerm uses an initialisation vector (IV) consisting only of zero bytes and a master key to encrypt each password individually. In the default configuration, on opening MobaXTerm, the user is prompted for their password. A derivative of the password is used as the master key. As both the master key and the IV are the same for each stored password, the AES CFB ciphertext depends only on the plaintext (the password). The static IV and master key make it easier to obtain sensitive information and to decrypt data when it is stored at rest.

Remediation

Solution:

  • Update MobaXterm to v25.0 and reencrypt passwords that were encrypted with a vulnerable version of MobaXterm.

Category

6.5
CVSS
Severity: Medium
CVSS 3.1 •
EPSS 0.02%
Third-Party Advisory cirosec.de
Affected: Mobatek MobaXterm
Published at:
Updated at:

References

Link Tags
https://www.cirosec.de/sa/sa-2024-012 third party advisory

Frequently Asked Questions

What is the severity of CVE-2025-0714?
CVE-2025-0714 has been scored as a medium severity vulnerability.
How to fix CVE-2025-0714?
To fix CVE-2025-0714: Update MobaXterm to v25.0 and reencrypt passwords that were encrypted with a vulnerable version of MobaXterm.
Is CVE-2025-0714 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2025-0714 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2025-0714?
CVE-2025-0714 affects Mobatek MobaXterm.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.