cvelistv5 - CVE-2025-27508

CVE-2025-27508 (GCVE-0-2025-27508)

Vulnerability from cvelistv5 – Published: 2025-03-05 21:32 – Updated: 2025-03-07 18:02

Summary

Emissary is a P2P based data-driven workflow engine. The ChecksumCalculator class within allows for hashing and checksum generation, but it includes or defaults to algorithms that are no longer recommended for secure cryptographic use cases (e.g., SHA-1, CRC32, and SSDEEP). These algorithms, while possibly valid for certain non-security-critical tasks, can expose users to security risks if used in scenarios where strong cryptographic guarantees are required. This issue is fixed in 8.24.0.

Severity ?

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CWE

CWE-327 - Use of a Broken or Risky Cryptographic Algorithm

Assigner

GitHub_M

References

URL

Tags

	https://github.com/NationalSecurityAgency/emissar…	x_refsource_CONFIRM
	https://github.com/NationalSecurityAgency/emissar…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	NationalSecurityAgency	emissary	Affected: < 8.24.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-27508",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-03-07T18:01:59.726755Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-03-07T18:02:15.614Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/NationalSecurityAgency/emissary/security/advisories/GHSA-hw43-fcmm-3m5g"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "emissary",
          "vendor": "NationalSecurityAgency",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 8.24.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Emissary is a P2P based data-driven workflow engine. The ChecksumCalculator class within allows for hashing and checksum generation, but it includes or defaults to algorithms that are no longer recommended for secure cryptographic use cases (e.g., SHA-1, CRC32, and SSDEEP). These algorithms, while possibly valid for certain non-security-critical tasks, can expose users to security risks if used in scenarios where strong cryptographic guarantees are required. This issue is fixed in 8.24.0."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-327",
              "description": "CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-03-05T21:32:42.470Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/NationalSecurityAgency/emissary/security/advisories/GHSA-hw43-fcmm-3m5g",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/NationalSecurityAgency/emissary/security/advisories/GHSA-hw43-fcmm-3m5g"
        },
        {
          "name": "https://github.com/NationalSecurityAgency/emissary/commit/da3a81a8977577597ff2a944820a5ae4e9762368",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/NationalSecurityAgency/emissary/commit/da3a81a8977577597ff2a944820a5ae4e9762368"
        }
      ],
      "source": {
        "advisory": "GHSA-hw43-fcmm-3m5g",
        "discovery": "UNKNOWN"
      },
      "title": "Emissary Use of a Broken or Risky Cryptographic Algorithm"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-27508",
    "datePublished": "2025-03-05T21:32:42.470Z",
    "dateReserved": "2025-02-26T18:11:52.306Z",
    "dateUpdated": "2025-03-07T18:02:15.614Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-27508\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-03-05T22:15:35.867\",\"lastModified\":\"2025-03-07T18:15:48.033\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Emissary is a P2P based data-driven workflow engine. The ChecksumCalculator class within allows for hashing and checksum generation, but it includes or defaults to algorithms that are no longer recommended for secure cryptographic use cases (e.g., SHA-1, CRC32, and SSDEEP). These algorithms, while possibly valid for certain non-security-critical tasks, can expose users to security risks if used in scenarios where strong cryptographic guarantees are required. This issue is fixed in 8.24.0.\"},{\"lang\":\"es\",\"value\":\"Emissary es un motor de flujo de trabajo basado en datos P2P. La clase ChecksumCalculator permite la generaci\u00f3n de sumas de comprobaci\u00f3n y hash, pero incluye o utiliza de forma predeterminada algoritmos que ya no se recomiendan para casos de uso criptogr\u00e1fico seguro (por ejemplo, SHA-1, CRC32 y SSDEEP). Estos algoritmos, si bien pueden ser v\u00e1lidos para ciertas tareas no cr\u00edticas para la seguridad, pueden exponer a los usuarios a riesgos de seguridad si se utilizan en escenarios en los que se requieren garant\u00edas criptogr\u00e1ficas s\u00f3lidas. Este problema se solucion\u00f3 en 8.24.0.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-327\"}]}],\"references\":[{\"url\":\"https://github.com/NationalSecurityAgency/emissary/commit/da3a81a8977577597ff2a944820a5ae4e9762368\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/NationalSecurityAgency/emissary/security/advisories/GHSA-hw43-fcmm-3m5g\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/NationalSecurityAgency/emissary/security/advisories/GHSA-hw43-fcmm-3m5g\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-27508\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-03-07T18:01:59.726755Z\"}}}], \"references\": [{\"url\": \"https://github.com/NationalSecurityAgency/emissary/security/advisories/GHSA-hw43-fcmm-3m5g\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-03-07T18:02:09.691Z\"}}], \"cna\": {\"title\": \"Emissary Use of a Broken or Risky Cryptographic Algorithm\", \"source\": {\"advisory\": \"GHSA-hw43-fcmm-3m5g\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"NationalSecurityAgency\", \"product\": \"emissary\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 8.24.0\"}]}], \"references\": [{\"url\": \"https://github.com/NationalSecurityAgency/emissary/security/advisories/GHSA-hw43-fcmm-3m5g\", \"name\": \"https://github.com/NationalSecurityAgency/emissary/security/advisories/GHSA-hw43-fcmm-3m5g\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/NationalSecurityAgency/emissary/commit/da3a81a8977577597ff2a944820a5ae4e9762368\", \"name\": \"https://github.com/NationalSecurityAgency/emissary/commit/da3a81a8977577597ff2a944820a5ae4e9762368\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Emissary is a P2P based data-driven workflow engine. The ChecksumCalculator class within allows for hashing and checksum generation, but it includes or defaults to algorithms that are no longer recommended for secure cryptographic use cases (e.g., SHA-1, CRC32, and SSDEEP). These algorithms, while possibly valid for certain non-security-critical tasks, can expose users to security risks if used in scenarios where strong cryptographic guarantees are required. This issue is fixed in 8.24.0.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-327\", \"description\": \"CWE-327: Use of a Broken or Risky Cryptographic Algorithm\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-03-05T21:32:42.470Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-27508\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-03-07T18:02:15.614Z\", \"dateReserved\": \"2025-02-26T18:11:52.306Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-03-05T21:32:42.470Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

FKIE_CVE-2025-27508

Vulnerability from fkie_nvd - Published: 2025-03-05 22:15 - Updated: 2025-03-07 18:15

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/NationalSecurityAgency/emissary/commit/da3a81a8977577597ff2a944820a5ae4e9762368
	security-advisories@github.com	https://github.com/NationalSecurityAgency/emissary/security/advisories/GHSA-hw43-fcmm-3m5g
	134c704f-9b21-4f2e-91b3-4a467353bcc0	https://github.com/NationalSecurityAgency/emissary/security/advisories/GHSA-hw43-fcmm-3m5g

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Emissary is a P2P based data-driven workflow engine. The ChecksumCalculator class within allows for hashing and checksum generation, but it includes or defaults to algorithms that are no longer recommended for secure cryptographic use cases (e.g., SHA-1, CRC32, and SSDEEP). These algorithms, while possibly valid for certain non-security-critical tasks, can expose users to security risks if used in scenarios where strong cryptographic guarantees are required. This issue is fixed in 8.24.0."
    },
    {
      "lang": "es",
      "value": "Emissary es un motor de flujo de trabajo basado en datos P2P. La clase ChecksumCalculator permite la generaci\u00f3n de sumas de comprobaci\u00f3n y hash, pero incluye o utiliza de forma predeterminada algoritmos que ya no se recomiendan para casos de uso criptogr\u00e1fico seguro (por ejemplo, SHA-1, CRC32 y SSDEEP). Estos algoritmos, si bien pueden ser v\u00e1lidos para ciertas tareas no cr\u00edticas para la seguridad, pueden exponer a los usuarios a riesgos de seguridad si se utilizan en escenarios en los que se requieren garant\u00edas criptogr\u00e1ficas s\u00f3lidas. Este problema se solucion\u00f3 en 8.24.0."
    }
  ],
  "id": "CVE-2025-27508",
  "lastModified": "2025-03-07T18:15:48.033",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-03-05T22:15:35.867",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/NationalSecurityAgency/emissary/commit/da3a81a8977577597ff2a944820a5ae4e9762368"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/NationalSecurityAgency/emissary/security/advisories/GHSA-hw43-fcmm-3m5g"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "url": "https://github.com/NationalSecurityAgency/emissary/security/advisories/GHSA-hw43-fcmm-3m5g"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-327"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

GHSA-HW43-FCMM-3M5G

Vulnerability from github – Published: 2025-03-05 22:18 – Updated: 2025-03-06 01:33

Summary

Emissary May Use a Broken or Risky Cryptographic Algorithm

Details

Summary

The ChecksumCalculator class within allows for hashing and checksum generation, but it includes or defaults to algorithms that are no longer recommended for secure cryptographic use cases (e.g., SHA-1, CRC32, and SSDEEP). These algorithms, while possibly valid for certain non-security-critical tasks, can expose users to security risks if used in scenarios where strong cryptographic guarantees are required.

Requirement from NIST

Requirement from NIST regarding SHA1

https://csrc.nist.gov/projects/hash-functions#:~:text=NIST%20deprecated%20the%20use%20of,use%20of%20the%20SHA%2D1.

Federal agencies should use SHA-2 or SHA-3 as an alternative to SHA-1. Further guidance will be available soon. Send questions on the transition to sha-1-transition@nist.gov.

https://www.nist.gov/news-events/news/2022/12/nist-retires-sha-1-cryptographic-algorithm

Mitigation and Fix

Make it clear to developers and users that the ChecksumCalculator is specific to the "Known File Filter" (KFF) document similarity feature and is not intended to suggest or endorse global use as a cryptographically secure hashing or checksum mechanism.

While these specific default insecure algorithms can not be updated without violating the intended use-case, it can be clearly documented and prevented using better access modifiers in the ChecksumCalculator class.

Details

Within ChecksumCalculator.java, the following points raise potential security concerns:

SHA-1: SHA-1 has been widely deprecated for cryptographic purposes due to known collision attacks. The constructor defaults to "SHA-1" if no specific algorithm is provided. CRC32: CRC32 is a simple checksum mechanism, not a cryptographic hash function. It is unsuitable for security-critical integrity checks since it can be easily manipulated or collided. SSDEEP (Fuzzy Hashing): SSDEEP is a context-specific tool used for similarity matching and may not be a secure cryptographic function for authentication or tamper detection. There is no apparent mechanism to prevent developers from using these weaker algorithms in security-sensitive contexts. Users of emissary who rely on ChecksumCalculator for strong security guarantees (e.g., data integrity or authentication) may be misled into assuming these algorithms provide adequate protection.

PoC

Code could be found https://github.com/NationalSecurityAgency/emissary/blob/main/src/main/java/emissary/kff/ChecksumCalculator.java

Impact

Impact Weakened Security Posture: Applications integrating Emissary may inadvertently use these algorithms in a way that could be exploited (e.g., collisions in SHA-1, trivial collisions in CRC32). Misleading Assurance: Developers might assume Emissary’s recommended defaults are secure for cryptographic validation, which can result in insecure implementations. Potential for Collision Attacks: Attackers could craft inputs that yield the same SHA-1 hash or manipulate CRC32 sums, thus bypassing naive integrity checks. Because this project is produced under the NSA umbrella, users may have an inflated trust in its security posture, potentially leading them to rely on these algorithms in high-security environments without recognizing the associated risks.

Severity ?

7.5 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 8.23.0"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "gov.nsa.emissary:emissary"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "8.24.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-27508"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-327"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-03-05T22:18:51Z",
    "nvd_published_at": "2025-03-05T22:15:35Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nThe ChecksumCalculator class within  allows for hashing and checksum generation, but it includes or defaults to algorithms that are no longer recommended for secure cryptographic use cases (e.g., SHA-1, CRC32, and SSDEEP). These algorithms, while possibly valid for certain non-security-critical tasks, can expose users to security risks if used in scenarios where strong cryptographic guarantees are required.\n\n### Requirement from NIST\nRequirement from NIST regarding SHA1\n\nhttps://csrc.nist.gov/projects/hash-functions#:~:text=NIST%20deprecated%20the%20use%20of,use%20of%20the%20SHA%2D1.\n\n\u003e Federal agencies should use SHA-2 or SHA-3 as an alternative to SHA-1.\n\u003e Further guidance will be available soon. Send questions on the transition to sha-1-transition@nist.gov.\n\nhttps://www.nist.gov/news-events/news/2022/12/nist-retires-sha-1-cryptographic-algorithm\n\n### Mitigation and Fix\nMake it clear to developers and users that the ChecksumCalculator is specific to the \"Known File Filter\" (KFF) document similarity feature and is not intended to suggest or endorse global use as a cryptographically secure hashing or checksum mechanism.\n\nWhile these specific default insecure algorithms can not be updated without violating the intended use-case, it can be clearly documented and prevented using better access modifiers in the ChecksumCalculator class.\n\n### Details\nWithin ChecksumCalculator.java, the following points raise potential security concerns:\n\nSHA-1:\nSHA-1 has been widely deprecated for cryptographic purposes due to known collision attacks.\nThe constructor defaults to \"SHA-1\" if no specific algorithm is provided.\nCRC32:\nCRC32 is a simple checksum mechanism, not a cryptographic hash function. It is unsuitable for security-critical integrity checks since it can be easily manipulated or collided.\nSSDEEP (Fuzzy Hashing):\nSSDEEP is a context-specific tool used for similarity matching and may not be a secure cryptographic function for authentication or tamper detection.\nThere is no apparent mechanism to prevent developers from using these weaker algorithms in security-sensitive contexts. Users of emissary who rely on ChecksumCalculator for strong security guarantees (e.g., data integrity or authentication) may be misled into assuming these algorithms provide adequate protection.\n\n### PoC\nCode could be found https://github.com/NationalSecurityAgency/emissary/blob/main/src/main/java/emissary/kff/ChecksumCalculator.java\n\n### Impact\nImpact\nWeakened Security Posture: Applications integrating Emissary may inadvertently use these algorithms in a way that could be exploited (e.g., collisions in SHA-1, trivial collisions in CRC32).\nMisleading Assurance: Developers might assume Emissary\u2019s recommended defaults are secure for cryptographic validation, which can result in insecure implementations.\nPotential for Collision Attacks: Attackers could craft inputs that yield the same SHA-1 hash or manipulate CRC32 sums, thus bypassing naive integrity checks.\nBecause this project is produced under the NSA umbrella, users may have an inflated trust in its security posture, potentially leading them to rely on these algorithms in high-security environments without recognizing the associated risks.",
  "id": "GHSA-hw43-fcmm-3m5g",
  "modified": "2025-03-06T01:33:29Z",
  "published": "2025-03-05T22:18:51Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/NationalSecurityAgency/emissary/security/advisories/GHSA-hw43-fcmm-3m5g"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27508"
    },
    {
      "type": "WEB",
      "url": "https://github.com/NationalSecurityAgency/emissary/commit/da3a81a8977577597ff2a944820a5ae4e9762368"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/NationalSecurityAgency/emissary"
    },
    {
      "type": "WEB",
      "url": "https://github.com/NationalSecurityAgency/emissary/releases/tag/8.24.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Emissary May Use a Broken or Risky Cryptographic Algorithm"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2025-27508 (GCVE-0-2025-27508)

FKIE_CVE-2025-27508

GHSA-HW43-FCMM-3M5G

Summary

Requirement from NIST

Mitigation and Fix

Details

PoC

Impact

Tags

Sightings

Nomenclature