CVE-2025-63958

24.11.2025, 17:16

MILLENSYS Vision Tools Workspace 6.5.0.2585 exposes a sensitive configuration endpoint (/MILLENSYS/settings) that is accessible without authentication. This page leaks plaintext database credentials, file share paths, internal license server configuration, and software update parameters. An unauthenticated attacker can retrieve this information by accessing the endpoint directly, potentially leading to full system compromise. The vulnerability is due to missing access controls on a privileged administrative function.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	9.8 CRITICAL	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
mitre	CNA	---				---
CISA-ADP	ADP	9.8 CRITICAL	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 61%

Vendor	Product	Version
millensys	vision_tools_workspace	5.10.5.2429
millensys	vision_tools_workspace	6.5.0.2585
millensys	vision_tools_workspace	6.5.0.2596

𝑥

= Vulnerable software versions

Known Exploits!

https://ozex.gitlab.io/tricks_hacks/2025-11-19-cve-2025-63958/index.html

Common Weakness Enumeration

CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

References

https://ozex.gitlab.io/tricks_hacks/2025-11-19-cve-2025-63958/index.html

https://www.millensys.com/