CVE-2025-54422

EPSS 0.01%
Veröffentlicht 29.07.2025 12:47:50
Zuletzt bearbeitet 04.08.2025 17:30:08
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Sandboxie is a sandbox-based isolation software for 32-bit and 64-bit Windows NT-based operating systems. In versions 1.16.1 and below, a critical security vulnerability exists in password handling mechanisms. During encrypted sandbox creation, user passwords are transmitted via shared memory, exposing them to potential interception. The vulnerability is particularly severe during password modification operations, where both old and new passwords are passed as plaintext command-line arguments to the Imbox process without any encryption or obfuscation. This implementation flaw allows any process within the user session, including unprivileged processes, to retrieve these sensitive credentials by reading the command-line arguments, thereby bypassing standard privilege requirements and creating a significant security risk. This is fixed in version 1.16.2.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 4 Referenzen 6

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Sandboxie-plus ≫ Sandboxie SwEditionplus Version < 1.16.2

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.01%	0.005

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	5.5	1.8	3.6	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
security-advisories@github.com	6.9	0	0	CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-312 Cleartext Storage of Sensitive Information

The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.

CWE-322 Key Exchange without Entity Authentication

The product performs a key exchange with an actor without verifying the identity of that actor.

CWE-497 Exposure of Sensitive System Information to an Unauthorized Control Sphere

The product does not properly prevent sensitive system-level information from being accessed by unauthorized actors who do not have the same level of access to the underlying system as the product does.

CWE-522 Insufficiently Protected Credentials

The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.

https://github.com/sandboxie-plus/Sandboxie/security/advisories/GHSA-jp7r-vgv9-43p7

Vendor Advisory

https://github.com/sandboxie-plus/Sandboxie/commit/d107d5743880da28e782c1771b5246b2a512989a

Patch

https://github.com/sandboxie-plus/Sandboxie/releases/tag/v1.16.2

Release Notes

https://nvd.nist.gov/vuln/detail/CVE-2025-54422

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-54422

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-54422

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2025-54422