CVE-2025-12773 PUBLISHED

Plain password is generated in the audit logs while executing update-reports-purge-settings.sh script with Brocade SANnav before 2.4.0a

Assigner: brocade
Reserved: 05.11.2025 Published: 03.02.2026 Updated: 03.02.2026

A vulnerability in update-reports-purge-settings.sh script logging for Brocade SANnav before 2.4.0a could allow the collection of SANnav database password in the system audit logs. The vulnerability could allow a remote authenticated attacker with access to the audit logs to access the Brocade SANnav database password.

Metrics

CVSS 4.0

CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:P/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H
CVSS Score: 7.1

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Local	Confidentiality	High	Confidentiality	High
Attack Complexity	Low	Integrity	None	Integrity	High
Attack Requirements	None	Availability	None	Availability	High
Privileges Required	High
User Interaction	Passive

CVSS 4.0

Product Status

Vendor	Brocade
Product	SANnav
Versions	Default: unaffected Version before 2.4.0a is affected

References

https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36847

Problem Types

CWE-209 Generation of Error Message Containing Sensitive Information CWE

Impacts

CAPEC-37 Retrieve Embedded Sensitive Data