Full Report
Insufficiently Protected Credentials vulnerability (CVE-2025-5922) has been found in TSplus Remote Access software.
Analysis Summary
# Vulnerability: Insufficiently Protected Credentials in TSplus Remote Access
## CVE Details
- CVE ID: CVE-2025-5922
- CVSS Score: Not explicitly provided in the text (Severity based on description is High for credential compromise)
- CWE: CWE-522 (Insufficiently Protected Credentials)
## Affected Systems
- Products: TSplus Remote Access
- Versions: All versions prior to v18.40.6.17, v17.2025.6.27 (LTS), and v16.2025.6.27 (LTS).
- Configurations: Affects configurations where the Admin Tool is accessible, even if UAC is disabled.
## Vulnerability Description
The vulnerability exists because the hash of the PIN required to access the TSplus Remote Access Admin Tool is stored in the Windows system registry without proper salting. This design flaw allows a regular user, provided they have registry access, to retrieve this unsalted hash. The unsalted hash is vulnerable to offline brute-force attacks, potentially aided by precomputed rainbow tables, leading to the compromise of the administrative PIN/credential.
## Exploitation
- Status: PoC available (Implied by the description of vulnerability to rainbow tables and brute force, though "PoC available" is not explicitly stated, the condition makes attack vectors highly feasible).
- Complexity: Low (Offline hash cracking utilizing rainbow tables is generally considered low complexity once the hash is retrieved).
- Attack Vector: Local (Requires local access to read the system registry where the hash is stored).
## Impact
- Confidentiality: High (Administrative access credentials can be exposed).
- Integrity: High (Compromise of administrative credentials allows for system changes).
- Availability: Medium/High (Depending on follow-on actions by an attacker utilizing compromised admin rights).
## Remediation
### Patches
- TSplus Remote Access v**18.40.6.17**
- TSplus Remote Access LTS v**17.2025.6.27**
- TSplus Remote Access LTS v**16.2025.6.27**
### Workarounds
- No specific workarounds were provided in the summary text, but ensuring the PIN is complex and monitoring for unauthorized registry access could serve as temporary measures until patching.
## Detection
- Indicators of Compromise: Logs showing unusual access to the system registry hive containing the TSplus PIN hash, specifically attempts to retrieve or modify keys related to the Admin Tool configuration.
- Detection Methods and Tools: Endpoint detection tools capable of monitoring registry modification/read events for sensitive keys associated with TSplus configuration files.
## References
- Vendor advisories: TSplus (Implied, as CERT Polska coordinated disclosure)
- Relevant links - defanged:
- hxxps://incydent.cert.pl/#!/lang=en
- hxxps://www.cve.org/CVERecord?id=CVE-2025-5922
- hxxps://cwe.mitre.org/data/definitions/522.html
- hxxps://cert.pl/en/cvd/