CVE-2025-65998

Published Nov 24, 2025

Last updated 5 months ago

CVSS high 7.5

Overview

Description
Apache Syncope can be configured to store the user password values in the internal database with AES encryption, though this is not the default option. When AES is configured, the default key value, hard-coded in the source code, is always used. This allows a malicious attacker, once obtained access to the internal database content, to reconstruct the original cleartext password values. This is not affecting encrypted plain attributes, whose values are also stored using AES encryption. Users are recommended to upgrade to version 3.0.15 / 4.0.3, which fix this issue.
Source
security@apache.org
NVD status
Analyzed
Products
syncope

Risk scores

CVSS 3.1

Type
Secondary
Base score
7.5
Impact score
3.6
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Severity
HIGH

Weaknesses

security@apache.org
CWE-321

Social media

Hype score
Not currently trending

  1. Apache Syncope で危険度の高い脆弱性(CVE-2025-65998) https://t.co/IGPFf5Xt9R #セキュリティ対策Lab #セキュリティ #Security

    @securityLab_jp

    1 Dec 2025

    94 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. Warning: CVE-2025-65998 CVSS:7.5 is a vulnerability in #Apache #Syncope, enabling attackers to decrypt user passwords by stealing a hard-coded default encryption key. RedHat suggests upgrading to version 3.0.15 / 4.0.3, more info at: https://t.co/K9YT7jSY2K. #Patch #Patch #Patch

    @CCBalert

    27 Nov 2025

    204 Impressions

    2 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. 🔍 𝐀𝐩𝐚𝐜𝐡𝐞 𝐒𝐲𝐧𝐜𝐨𝐩𝐞 𝐅𝐥𝐚𝐰 𝐄𝐱𝐩𝐨𝐬𝐞𝐬 𝐈𝐧𝐭𝐞𝐫𝐧𝐚𝐥 𝐃𝐚𝐭𝐚𝐛𝐚𝐬𝐞 𝐃𝐚𝐭𝐚 • Apache Syncope has a vulnerability that exposes data when using AES password encryptio

    @PurpleOps_io

    27 Nov 2025

    51 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. Critical vulnerabilities unveiled: Apache Syncope’s CVE-2025-65998 risks stored passwords; Fluent Bit RCE flaws enable cloud attacks; Oracle KEV exploits affect Canon; major breaches hit Dartmouth, SitusAMC, Almaviva, and more. #DataBreach #CloudSecurity https://t.co/aHIFKrnnGJ

    @TweetThreatNews

    26 Nov 2025

    171 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  5. CVE-2025-65998 Apache Syncope can be configured to store the user password values in the internal database with AES encryption, though this is not the default option. When AES is c… https://t.co/QEMNMfnuNA

    @CVEnew

    24 Nov 2025

    192 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. Reflected XSS in Apache Syncope's Enduser Login page. An attacker that tricks a legitimate user into clicking a malicious link and logging in to Syncope Enduser could steal that user's credentials. This issue affects Apache Syncope: from 3.0 through 3.0.15, from 4.0 through 4.0.3. Users are recommended to upgrade to version 3.0.16 / 4.0.4, which fix this issue.CVE-2026-23794
  2. Improper Restriction of XML External Entity Reference vulnerability in Apache Syncope Console. An administrator with adequate entitlements to create or edit Keymaster parameters via Console can construct malicious XML text to launch an XXE attack, thereby causing sensitive data leakage occurs. This issue affects Apache Syncope: from 3.0 through 3.0.15, from 4.0 through 4.0.3. Users are recommended to upgrade to version 3.0.16 / 4.0.4, which fix this issue.CVE-2026-23795
  3. Apache Syncope offers the ability to extend / customize the base behavior on every deployment by allowing to provide custom implementations of a few Java interfaces; such implementations can be provided either as Java or Groovy classes, with the latter being particularly attractive as the machinery is set for runtime reload. Such a feature has been available for a while, but recently it was discovered that a malicious administrator can inject Groovy code that can be executed remotely by a running Apache Syncope Core instance. Users are recommended to upgrade to version 3.0.14 / 4.0.2, which fix this issue by forcing the Groovy code to run in a sandbox.CVE-2025-57738
  4. When editing objects in the Syncope Console, incomplete HTML tags could be used to bypass HTML sanitization. This made it possible to inject stored XSS payloads which would trigger for other users during ordinary usage of the application. XSS payloads could also be injected in Syncope Enduser when editing “Personal Information” or “User Requests”: such payloads would trigger for administrators in Syncope Console, thus enabling session hijacking. Users are recommended to upgrade to version 3.0.9, which fixes this issue.CVE-2024-45031
  5. When editing a user, group or any object in the Syncope Console, HTML tags could be added to any text field and could lead to potential exploits. The same vulnerability was found in the Syncope Enduser, when editing “Personal Information” or “User Requests”. Users are recommended to upgrade to version 3.0.8, which fixes this issue.CVE-2024-38503

References

Sources include official advisories and independent security research.