CVE-2025-47276

HIGH

Actualizer <1.2.0 - Info Disclosure

Title source: llm

Description

Actualizer is a single shell script solution to allow developers and embedded engineers to create Debian operating systems (OS). Prior to version 1.2.0, Actualizer uses OpenSSL's "-passwd" function, which uses SHA512 instead of a more suitable password hasher like Yescript/Argon2i. All Actualizer users building a full Debian Operating System are affected. Users should upgrade to version 1.2.0 of Actualizer. Existing OS deployment requires manual password changes against the alpha and root accounts. The change will deploy's Debian's yescript overriding the older SHA512 hash created by OpenSSL. As a workaround, users need to reset both `root` and "Alpha" users' passwords.

References (7)

[Vendor Advisory] https://github.com/ChewKeanHo/Actualizer/security/advisories/GHSA-v626-chv9-v9qr

[Issue Tracking] https://github.com/ChewKeanHo/Actualizer/issues/1

[Issue Tracking] https://github.com/openssl/openssl/issues/19340

[Patch] https://github.com/ChewKeanHo/Actualizer/commit/32c9cc232c856f078f8269fba80ce7562bbff86b

View Patch ZIP pw:eip

[Various Sources] https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html

[Release Notes] https://github.com/ChewKeanHo/Actualizer/releases/tag/v1.2.0

[Various Sources] https://www.reddit.com/r/debian/comments/1kknzqi/actualizer_v110_upgraded

Scores

CVSS v3 7.5

EPSS 0.0024

EPSS Percentile 47.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-328

Status published

Products (1)

ChewKeanHo/Actualizer < 1.2.0

Published May 13, 2025

Tracked Since Feb 18, 2026