CVE-2026-1814 PUBLISHED

Rapid7 Nexpose Insecure Java Keystore Password Generation

Assigner: rapid7
Reserved: 03.02.2026 Published: 03.02.2026 Updated: 03.02.2026

Rapid7 Nexpose versions 6.4.50 and later are vulnerable to an insufficient entropy issue in the CredentialsKeyStorePassword.generateRandomPassword() method. When updating legacy keystore passwords, the application generates a new password with insufficient length (7-12 characters) and a static prefix 'p', resulting in a weak keyspace. An attacker with access to the nsc.ks file can brute-force this password using consumer-grade hardware to decrypt stored credentials.

Metrics

CVSS 4.0

CVSS Vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CVSS Score: 7.5

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	High	Confidentiality	None
Attack Complexity	High	Integrity	High	Integrity	None
Attack Requirements	None	Availability	High	Availability	None
Privileges Required	High
User Interaction	None

CVSS 4.0

Product Status

Vendor	Rapid7
Product	InsightVM/Nexpose
Versions	Default: unaffected Version 8.24.0 is affected

Solutions

Fix is pending. Vendor is currently working on a remediation.

Credits

Justin Kennedy finder
Atredis Partners sponsor

References

https://www.atredis.com/disclosure

Problem Types

CWE-331 Insufficient Entropy CWE

Impacts

CAPEC-112 Brute Force