Login Sign Up

CVE-2025-22896

8.6 HIGH

📋 TL;DR

mySCADA myPRO Manager stores credentials in cleartext, allowing attackers to read sensitive authentication data. This affects all systems running vulnerable versions of mySCADA myPRO Manager software. Attackers with access to the system could compromise SCADA/ICS environments.

💻 Affected Systems

Products:
  • mySCADA myPRO Manager
Versions: All versions prior to patched release
Operating Systems: Windows
Default Config Vulnerable: ⚠️ Yes
Notes: Affects all installations where credentials are stored by the application. The vulnerability is in the credential storage mechanism itself.

📦 What is this software?

Mypro by Myscada

View all CVEs affecting Mypro →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full compromise of SCADA/ICS systems leading to operational disruption, safety incidents, or industrial espionage through credential theft and subsequent unauthorized access.

🟠

Likely Case

Credential harvesting leading to unauthorized access to SCADA systems, potentially allowing configuration changes, data exfiltration, or limited operational impact.

🟢

If Mitigated

Isolated credential exposure with no lateral movement due to network segmentation and strong access controls limiting the blast radius.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Requires local or remote access to read credential storage files. No authentication bypass needed if files are accessible.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check vendor advisory for specific version

Vendor Advisory: https://www.myscada.org/contacts/

Restart Required: No

Instructions:

1. Contact mySCADA vendor for patched version. 2. Download and install updated myPRO Manager. 3. Verify credential storage is now encrypted.

🔧 Temporary Workarounds

Restrict File Access

Windows

Apply strict file system permissions to prevent unauthorized reading of credential storage files

icacls "C:\Program Files\mySCADA\myPRO Manager\*" /deny Everyone:(R)

🧯 If You Can't Patch

  • Implement network segmentation to isolate myPRO Manager from untrusted networks
  • Deploy application whitelisting to prevent unauthorized processes from accessing credential files

🔍 How to Verify

Check if Vulnerable:

Check if credential files in myPRO Manager installation directory contain plaintext passwords or are unencrypted

Check Version:

Check application version in Help > About or program properties

Verify Fix Applied:

Verify credential files are encrypted or hashed after patch installation

📡 Detection & Monitoring

Log Indicators:

  • Multiple failed authentication attempts followed by successful login from new location
  • Unusual file access patterns to credential storage files

Network Indicators:

  • Unexpected connections to SCADA systems from new IP addresses
  • Anomalous protocol traffic patterns

SIEM Query:

source="myPRO Manager" AND (event_type="file_access" AND file_path="*credential*") OR (auth_success="true" AND src_ip NOT IN allowed_ips)

📊 Metadata

CVE ID: CVE-2025-22896
CVSS v3 Score: 8.6 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
CWE: CWE-312
EPSS Score: 45.91% exploit probability (97.5th percentile)
Published: February 13, 2025
Last Updated: March 4, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-22896, you might also want to check these:

CVE-2022-43757 9.9

CVE-2022-43757 is a cleartext storage vulnerability in SUSE Rancher that allows users on managed clu...

Same vulnerability type (CWE-312)
CVE-2021-29954 9.8

This vulnerability in Hubs Cloud's Reticulum software allowed attackers to use the proxy functionali...

Same vulnerability type (CWE-312)
CVE-2022-26148 9.8

This vulnerability exposes Zabbix account passwords in Grafana's HTML source code when integrated wi...

Same vulnerability type (CWE-312)