CVE-2023-25263

MEDIUM

Stimulsoft Designer 2023.1.4-2023.1.5 - Cleartext Storage of Sensitive Information in Connection String

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2023-25263. PoCs published by trustcves.

AI-analyzed exploit summary The writeup details CVE-2023-25263, a vulnerability in Stimulsoft Designer where static secrets are used to encrypt connection strings in .mrt files. The researchers decompiled the application to extract the static secret and demonstrated decryption of the connection strings.

Description

In Stimulsoft Designer (Desktop) 2023.1.5, and 2023.1.4, once an attacker decompiles the Stimulsoft.report.dll the attacker is able to decrypt any connectionstring stored in .mrt files since a static secret is used. The secret does not differ between the tested versions and different operating systems.

Exploits (1)

nomisec WRITEUP
by trustcves · poc
https://github.com/trustcves/CVE-2023-25263

The writeup details CVE-2023-25263, a vulnerability in Stimulsoft Designer where static secrets are used to encrypt connection strings in .mrt files. The researchers decompiled the application to extract the static secret and demonstrated decryption of the connection strings.

Classification
Writeup 100%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Stimulsoft Designer (Desktop), Stimulsoft Designer (Web) versions 2023.1.4, 2023.1.5, and prior
No auth needed
Prerequisites: Access to an .mrt file with an embedded SQL-Datasource
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (3)

Core 3

Scores

CVSS v3 5.5
EPSS 0.0025
EPSS Percentile 15.9%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-312
Status published
Products (2)
stimulsoft/designer 2023.1.4 (2 CPE variants)
stimulsoft/designer 2023.1.5 (2 CPE variants)
Published Mar 27, 2023
Tracked Since Feb 18, 2026