CVE-2025-13954 PUBLISHED

Hard-coded cryptographic keys in EZCast Pro II Dongle

Assigner: NCSC.ch
Reserved: 03.12.2025 Published: 10.12.2025 Updated: 10.12.2025

Hard-coded cryptographic keys in Admin UI of EZCast Pro II version 1.17478.146 allows attackers to bypass authorization checks and gain full access to the admin UI

Metrics

CVSS 4.0

CVSS Vector: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:H/SA:N/AU:Y/RE:L
CVSS Score: 9.3

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Adjacent	Confidentiality	High	Confidentiality	None
Attack Complexity	Low	Integrity	High	Integrity	High
Attack Requirements	None	Availability	High	Availability	None
Privileges Required	None
User Interaction	None

CVSS 4.0

Product Status

Vendor	EZCast
Product	EZCast Pro II
Versions	Default: affected Version 1.17478.146 is affected

Workarounds

Until a firmware patch is made available by the vendor, users are advised to disconnect the dongle from their local network and limit its use strictly to Access Point functionality to minimize the attack surface

Credits

Swiss National Test Institute for Cybersecurity NTC finder
Swiss National Cybersecurity Centre coordinator

References

https://www.ncsc.admin.ch/ncsc/en/home/infos-fuer/infos-it-spezialisten/themen/schwachstelle-melden/cvd-cases/cvd-case-1-test.html

Problem Types

CWE-798 Use of Hard-coded Credentials CWE

Impacts

CAPEC-115 Authentication Bypass