7.3 CVE-2025-22463

A hardcoded key in Ivanti Workspace Control before version 10.19.10.0 allows a local authenticated attacker to decrypt the stored environment password.
https://nvd.nist.gov/vuln/detail/CVE-2025-22463

Categories

CWE-321 : Use of Hard-coded Cryptographic Key
The product uses a hard-coded, unchangeable cryptographic key. Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) Prevention schemes mirror that of hard-coded password storage. Engineering Workstation uses hard-coded cryptographic keys that could allow for unathorized filesystem access and privilege escalation Remote Terminal Unit (RTU) uses a hard-coded SSH private key that is likely to be used by default. WiFi router service has a hard-coded encryption key, allowing root access Communications / collaboration product has a hardcoded SSH private key, allowing access to root account

References

 

CPE

cpe	start	end

---

REMEDIATION

---

---

EXPLOITS

---

Exploit-db.com

id	description	date
No known exploits

---

POC Github

Url
No known exploits

---

Other Nist (github, ...)

Url
No known exploits

---

CAPEC

---

Common Attack Pattern Enumerations and Classifications

id	description	severity
No entry

---