CVE-2025-3495 PUBLISHED

COMMGR - Insufficient Randomization Authentication Bypass

Assigner: Deltaww
Reserved: 10.04.2025 Published: 16.04.2025 Updated: 16.04.2025

Delta Electronics COMMGR v1 and v2 uses insufficiently randomized values to generate session IDs (CWE-338). An attacker could easily brute force a session ID and load and execute arbitrary code.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS Score: 9.8

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	None	Integrity Impact	High
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	Delta Electronics
Product	COMMGR
Versions	Default: unaffected Version 0 is affected

References

https://filecenter.deltaww.com/news/download/doc/Delta-PCSA-2025-00005_COMMGR%20-%20Insufficient%20Randomization%20Authentication%20Bypass_v1.pdf
https://www.cisa.gov/news-events/ics-advisories/icsa-25-105-07

Problem Types

CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) CWE

Impacts

CAPEC-21 Exploitation of Trusted Identifiers