CVE-2025-40680

MEDIUM

CapillaryScope <2.5.0 - Info Disclosure

Title source: llm

Description

Lack of sensitive data encryption in CapillaryScope v2.5.0 of Capillary io, which stores both the proxy credentials and the JWT session token in plain text within different registry keys on the Windows operating system. Any authenticated local user with read access to the registry can extract these sensitive values.

References (1)

[Third Party Advisory] https://www.incibe.es/en/incibe-cert/notices/aviso/encryption-sensitive-data-capillaryscope-missing

Scores

CVSS v4 6.9

EPSS 0.0001

EPSS Percentile 1.5%

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-311

Status published

Products (1)

Capillary io/CapillaryScope < 2.5.0

Published Jul 24, 2025

Tracked Since Feb 18, 2026