CVE-2026-39031

Sažetak

Lansweeper lsrunase 2.0 and lsencrypt 2.0 use RC4 encryption with a hardcoded 142-byte static key array to encrypt credentials. An 8-character prefix is stored in cleartext alongside the ciphertext. This allows an attacker with local access to recover any encrypted password to plaintext using a single SHA-1 hash and RC4 decryption operation, with no brute force required.

Reference

https://github.com/user6400/cve-2026-39031-lansweeper-lsrunase2-lsencrypt2
https://usermode.net/cve/lansweeper_lsrunase2_lsencrypt2_cve.pdf
https://github.com/user6400/cve-2026-39031-lansweeper-lsrunase2-lsencrypt2
https://usermode.net/cve/lansweeper_lsrunase2_lsencrypt2_cve.pdf

CVSS

Base:	5.5
Impact:	3.6
Exploitability:	1.8

Pristup

Vektor	Složenost	Autentikacija
LOCAL	LOW	LOW

Impact

Povjerljivost	Cjelovitost	Dostupnost
HIGH	NONE	NONE

CVSS vektor

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Zadnje važnije ažuriranje

29-06-2026 - 19:27

Objavljeno

26-06-2026 - 21:16