CVE-2025-2862

SaTECH BCU, in its firmware version 2.1.3, performs weak password encryption. This allows an attacker with access to the device's system or website to obtain the credentials, as the storage methods used are not strong enough in terms of encryption.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-arteches-satech-bcu	Third Party Advisory

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:arteche:satech_bcu_firmware:2.1.3:*:*:*:*:*:*:*

cpe:2.3:h:arteche:satech_bcu:-:*:*:*:*:*:*:*

History

15 Oct 2025, 16:50

Type	Values Removed	Values Added
First Time		Arteche satech Bcu Firmware Arteche Arteche satech Bcu
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.5
References	~~() https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-arteches-satech-bcu -~~	() https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-arteches-satech-bcu - Third Party Advisory
CPE		cpe:2.3:h:arteche:satech_bcu:-:::::::* cpe:2.3:o:arteche:satech_bcu_firmware:2.1.3:::::::*
Summary		(es) SaTECH BCU, en su versión de firmware 2.1.3, utiliza un cifrado de contraseñas débil. Esto permite que un atacante con acceso al sistema o sitio web del dispositivo obtenga las credenciales, ya que los métodos de almacenamiento utilizados no ofrecen un cifrado lo suficientemente sólido.

28 Mar 2025, 14:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-03-28 14:15

Updated : 2025-10-15 16:50

NVD link : CVE-2025-2862

Mitre link : CVE-2025-2862

CVE.ORG link : CVE-2025-2862

JSON object : View

Products Affected

arteche

satech_bcu
satech_bcu_firmware

CWE

CWE-261

Weak Encoding for Password

{"id": "CVE-2025-2862", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "cve-coordination@incibe.es", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.9, "Automatable": "NOT_DEFINED", "attackVector": "ADJACENT", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-03-28T14:15:21.257", "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-arteches-satech-bcu", "tags": ["Third Party Advisory"], "source": "cve-coordination@incibe.es"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "cve-coordination@incibe.es", "description": [{"lang": "en", "value": "CWE-261"}]}], "descriptions": [{"lang": "en", "value": "SaTECH BCU, in its firmware version 2.1.3, performs weak password encryption. This allows an attacker with access to the device's system or website to obtain the credentials, as the storage methods used are not strong enough in terms of encryption."}, {"lang": "es", "value": "SaTECH BCU, en su versi\u00f3n de firmware 2.1.3, utiliza un cifrado de contrase\u00f1as d\u00e9bil. Esto permite que un atacante con acceso al sistema o sitio web del dispositivo obtenga las credenciales, ya que los m\u00e9todos de almacenamiento utilizados no ofrecen un cifrado lo suficientemente s\u00f3lido."}], "lastModified": "2025-10-15T16:50:59.443", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:arteche:satech_bcu_firmware:2.1.3:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A65A2842-1A84-420B-9F90-2F0DB0F0709C"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:arteche:satech_bcu:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "089E0E50-93BD-4E13-A4E5-982A20BD8877"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "cve-coordination@incibe.es"}