SRA Labs

Milner ImageDirector Capture

Tue, 20 Jan 2026 12:00:00 +0000

Summary

SRA has identified multiple vulnerabilities in Milner ImageDirector Capture that can lead to database access, credential access, database credential interception, and decryption of document archives.

CVE Identifiers

CVE ID	CVE Name
CVE-2025-58740	Hardcoded Encryption Key Enables Database Credential Access in Milner ImageDirector
CVE-2025-58741	Insecure Masked Credential Fields Enable Database Credential Access in Milner ImageDirector Capture
CVE-2025-58742	Insufficient Configuration Protections Enable Database Credential Interception in Milner ImageDirector Capture
CVE-2025-58743	Insecure Encryption Algorithm Enables Brute-Force of Database Credentials in Milner ImageDirector Capture
CVE-2025-58744	Hard-Coded Default Credentials Enable Document Archive Decryption in Milner ImageDirector Capture

Vulnerability Details / Description

CVE-2025-58740: Hardcoded Encryption Key Enables Database Credential Access in Milner ImageDirector

The Milner ImageDirector Capture application is vulnerable to credential exposure due to a hardcoded encryption key. The application stores a static cryptographic key within the C2SGlobalSettings.dll executable that encrypts database credentials. SRA identified this vulnerability by reverse engineering the Password function within the DLL, which revealed the hardcoded key used for credential encryption. An attacker can extract this key through static analysis of the executable and subsequently decrypt database credentials stored by the application at rest

Severity

The CVSS base score of this vulnerability has been calculated to be 8.5 (High)

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H

CVE-2025-58741: Insecure Masked Credential Fields Enable Database Credential Access in Milner ImageDirector Capture

The Milner ImageDirector Capture application is vulnerable to credential disclosure through memory analysis. The Connection Settings dialog stores database credentials in plaintext within application memory, including masked password fields that appear obfuscated in the user interface. SRA identified this vulnerability by opening the Connection Settings dialog and performing memory analysis using BulletsPassView on the running application process. The tool successfully extracted plaintext database usernames and passwords directly from process memory, despite the password field appearing masked with asterisks in the interface. The credentials remain accessible in memory for the duration that the dialog window stays open.

Severity

The CVSS base score of this vulnerability has been calculated to be 8.5 (High)

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H

CVE-2025-58742: Insufficient Configuration Protections Enable Database Credential Interception in Milner ImageDirector Capture

The Milner ImageDirector Capture application is vulnerable to credential interception through server redirection attacks. The Connection Settings dialog allows users to modify the database server address without clearing stored credentials, enabling an attacker to redirect authentication attempts to a malicious server. SRA identified this vulnerability by modifying the ‘Server’ field in the Connection Settings dialog to point to an attacker-controlled database server. When the application attempts to authenticate using the stored credentials, it transmits the username and password to the specified server address, allowing the attacker’s server to capture the plaintext authentication data. The application does not validate server certificates or implement additional protections against server redirection attacks.

Severity

The CVSS base score of this vulnerability has been calculated to be 8.5 (High)

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H

CVE-2025-58743: Insecure Encryption Algorithm Enables Brute-Force of Database Credentials in Milner ImageDirector Capture

The Milner ImageDirector Capture application is vulnerable to credential exposure through weak cryptographic implementation. The Password class within C2SConnections.dll uses the deprecated Data Encryption Standard (DES) algorithm to encrypt database credentials stored locally. SRA identified this vulnerability by reverse engineering the Password class and analyzing the cryptographic functions, which revealed the use of 56-bit DES encryption with a static initialization vector. The weak key length and algorithm design make encrypted credentials susceptible to brute-force attacks using modern computational resources.

Severity

The CVSS base score of this vulnerability has been calculated to be 7.2 (High)

CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:L/VA:H/SC:H/SI:H/SA:H

CVE-2025-58744: Hard-Coded Default Credentials Enable Document Archive Decryption in Milner ImageDirector Capture

The Milner ImageDirector Capture application is vulnerable to document decryption through hardcoded default credentials. The C2SGlobalSettings.dll contains a static “DelayedTransmissionPassword” that encrypts archived documents stored by the application. SRA identified this vulnerability by reverse engineering the C2SGlobalSettings.dll and locating the hardcoded password string within the compiled binary. The application uses this default password to encrypt document archives when users do not specify a custom delayed transmission password. An attacker can extract this hardcoded credential through static analysis and use it to decrypt any document archives encrypted with the default password, bypassing the intended document protection mechanisms.

Severity

The CVSS base score of this vulnerability has been calculated to be 6.9 (Medium)

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Affected Versions and Models

Milner ImageDirector Capture from 7.0.9 but before 7.6.3.25808. Versions prior to 7.0.9 may also be affected.

MITRE CWE Weakness Enumeration

CVE-2025-58740

CWE-321: Use of Hard-coded Cryptographic Key

CVE-2025-58741

CWE-522: Insufficiently Protected Credentials

CVE-2025-58742

CWE-522: Insufficiently Protected Credentials
CWE-923: Improper Restriction of Communication Channel to Intended Endpoints

CVE-2025-58743

CWE-327: Use of a Broken or Risky Cryptographic Algorithm

CVE-2025-58744

CWE-1392: Use of Default Credentials
CWE-798: Use of Hard-coded Credentials

Remediation Options

Update Milner ImageDirector Capture to 7.6.3.25808 or later.

Source

These vulnerabilities were discovered by Asa Reynolds and Rick Console as part of research performed by Security Risk Advisors.

Timeframe

October 15-23, 2025 – SRA attempts to establish contact with Milner to disclose vulnerabilities.
November 04, 2025 – Milner acknowledges vulnerabilities and intent to fix.
December 31, 2025 – Milner releases ImageDirector Capture 7.6.3.25808.
January 20, 2026 – SRA publishes CVEs and advisory.

Quest Coexistence Manager for Notes

Fri, 19 Dec 2025 12:00:00 +0000

Summary

SRA has identified a vulnerability in Quest Coexistence Manager for Notes that can lead to bypassing access controls, poisoning web caches, hijacking sessions, or triggering unintended internal requests.

CVE Identifiers

CVE ID	CVE Name
CVE-2025-12874	HTTP Request Smuggling in Quest Coexistence Manager for Notes

Vulnerability Details / Description

Quest Coexistence Manager for Notes (3.8.2045) is vulnerable in the Free/Busy Connector to HTTP request smuggling from an unauthenticated remote attacker. The front-end and back-end components rely on inconsistent header parsing, resulting in desynchronized request boundaries. In this case, the front-end server uses the Content-Length header to determine the end of the request body, forwarding the full request. The back-end server interprets the request using Transfer-Encoding: chunked, processing only the first chunk (declared as zero-length) and treating the remaining bytes as a new, separate request. The attacker embeds a second, hidden request in the body of the original message. Due to the parsing mismatch, this smuggled request is processed independently by the back-end server.

Severity

The CVSS base score of this vulnerability has been calculated to be 6.3 (Medium).

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/U:Clear

Affected Versions and Models

Quest Coexistence Manager for Notes 3.8.2045

MITRE CWE Weakness Enumeration

CWE-444: Inconsistent Interpretation of HTTP Requests

Remediation Options

Update Quest Coexistence Manager for Notes to latest version.

Source

This vulnerability was discovered by Cam Lischke as part of research performed by Security Risk Advisors.

Timeframe

November 3, 2025 – SRA submits vulnerability support case to Quest.
November 4 through November 7, 2025 – SRA submits details of vulnerability to Quest.
December 9, 2025 – SRA notifies Quest of intent to publicly disclose.
December 12, 2025 – Quest acknowledges intent to publicly disclose.
December 17, 2025 – Quest notifies SRA of intent to create a knowledge base article for Quest Support Portal

Brivo Access Control Systems

Mon, 19 Feb 2024 12:00:00 +0000

Summary

SRA has identified multiple vulnerabilities in Brivo Access Control Systems that can lead to the disclosure of sensitive system data and allow degradation or bypass of critical system functions.

CVE Identifiers

CVE ID	CVE Name
CVE-2023-6259	Local Access to Sensitive Data
CVE-2023-6260	Web UI OS Command Injection

Vulnerability Details / Description

CVE-2023-6259 – Local Access to Sensitive Data

An attacker with physical access to the ACS100 or ACS300 devices can access sensitive data from device memory that can be used to conduct additional attacks.

Severity

The CVSS severity level of this vulnerability has been calculated to be 7.1 (High)

CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CVE-2023-6260 – Web UI OS Command Injection

ACS300 (Physical Access)

An attacker with physical access to ACS300 devices can perform a command injection attack via the web UI and gain access to sensitive data that can be used to conduct additional attacks.

Severity

The CVSS base score of this vulnerability has been calculated to be 7.4 (High) for the physical access scenario:

CVSS:3.0/AV:P/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

ACS100 (Adjacent Network Access)

An attacker with local network access to ACS100 devices can perform a command injection attack via the web UI and gain access to sensitive data that can be used to conduct additional attacks.

Severity

The CVSS severity level of this vulnerability has been calculated to be 9.0 (High) for the adjacent network access scenario:

CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Affected Versions and Models

Affects models ACS100, ACS300. Models ACS6000 and ACSSDC may also be affected.

Severity

Affects firmware versions from 5.2.4 but before 6.2.4.3. Versions prior to 5.2.4 may also be affected.

MITRE CWE Weakness Enumeration

CWE-284: Improper Access Control

CWE-522: Insufficiently Protected Credentials

CWE-77: Improper Neutralization of Special Elements used in a Command (‘Command Injection’)

Remediation Options

Update affected devices to firmware version 6.2.4.3. Contact Brivo or your reseller for more information.

Source

These vulnerabilities were discovered by Alexandra Grochal and Gabe Siftar, as part of a research initiative for Security Risk Advisors’ internal hardware penetration testing team.

Timeframe

October 9, 2023 – SRA attempts initial contact with Brivo.
November 9, 2023 – SRA shares vulnerability details with Brivo’s product security team.
November 29, 2023 – SRA reserves CVE IDs.
December 15, 2023 – Brivo releases fix to production.

Conferences

Mon, 01 Jan 0001 00:00:00 +0000

The following is a list of conference talk given by Security Risk Advisors.

Year	Conference	Talk	Presenter	Resources
2026	BSides OT UK	Mind the Gap: Security on Paper, Reality on the Wire	Mandie Grosskopf	Slides
2026	Insomni’hack	Pruning Garden Paths in AWS	Evan Perotti	Slides Video
2026	BSides ICS/OT	Fabricating Kill Chains	Connor Jackson	Slides
2026	BSides ICS/OT	Mission: Resilient - Your OT Cybersecurity Maturity Made Possibles	Mandie Grosskopf	Slides
2025	BSides Philly	Hiding in Plain Sight: Weaponizing Developer Applications and Interpreted Languages to Evade Modern EDR	Annika Clarke	Slides Video
2025	BSides Philly	Letthemin: Facilitating High-Value Purple Teams Using an Assumed Compromise Approach	Sarah Hume	Slides
2025	BSides Philly	NAC to the Future	Richard Console	Slides Video
2025	BSides Philly	Screaming About Detection Coverage in ALLCAPS	Evan Perotti	Slides Video
2025	Burning River Cyber Con	Hiding in Plain Sight: Weaponizing Developer Applications and Interpreted Languages to Evade Modern EDR	Annika Clarke	Slides
2025	Burning River Cyber Con	An OffSec Adventure Through Modern CI/CD Systems	Jonathan Callahan	Slides
2025	BSides Chicago	Pruning Garden Paths in AWS	Evan Perotti	Slides
2025	Rochester Security Summit	What Could Go Wrong? AI Security Mistakes Event Fortune 500 Companies Are Making	Savannah Alfaro & Zachary Wallace	Slides Video
2025	DEFCON 33 Adversary Village	Letthemin: Facilitating High Value Purple Teams Using Assumed Compromise	Sarah Hume	Slides Video
2023	BSides Philly	GET IN THE BOX	Dan Astor & Jonathan Callahan	Slides Video
2023	BSides Philly	RPC Filter I Hardly Know Her	Evan Perotti	Slides Video
2023	Rochester Security Summit	A Hardware Hacker’s Perspective	Zachary Lehmann & Gabe Siftar	Slides Video
2021	ShellCon	Pipelines & Serverless & Automation, Oh My!	Cassandra Young, Jonathan Callahan, & Evan Perotti	Slides Video
2018	BSides Pittsburgh	Heavy Machinery and Burly Lumberjacks and Logging! Oh My!	Dan Astor & Evan Perotti	Slides Video
2017	BSides Philly	Threat Hunting: Defining the Process While Circumventing Corporate Obstacles	Kevin Foster, Matt Schneck, & Ryan Andress	Slides & Video
2017	BSides Philly	MFA: It’s 2017 and You’re Still Doing It Wrong	Chris Salerno & Dan Astor	Slides & Video
2017	BSides NOLA	Your New Red Team Hardware Survival Pack	Chris Salerno & Dan Astor	Slides

Privacy Policy

Mon, 01 Jan 0001 00:00:00 +0000

This privacy policy for Security Risk Advisors, LLC (“SRA”, “we,” “us,” and “our”), describes how and why we might collect, store, use, and/or share (“process”) your information when you visit the Security Risk Advisors Labs site (“labs.sra.io”). Please also refer to the primary Security Risk Advisors privacy policy: https://sra.io/privacy/

We do not process sensitive personal information. We use third-party analytics tools to help us measure traffic and usage trends. These tools collect information sent by your device or our services, including how you use the site, the web pages you visit on the site, add-ons, and other information that assists us in improving our services.

We use the following third-party analytics services:

Umami Software, Inc (https://umami.is/)
- Privacy policy: https://umami.is/privacy

Published Advisories

Mon, 01 Jan 0001 00:00:00 +0000

The following is a list of all publicly disclosed vulnerabilities discovered by Security Risk Advisors researchers.

All security vulnerabilities that are acquired by Security Risk Advisors are handled according to the SRA Disclosure Policy.

After the vendor has issued a patch or fix publicly and is within the timeframe agreed upon, SRA will release a public advisory disclosing its findings along with a timeframe from disclosure to advisory publish.

Name	CVE ID	Vulnerability Type	Affects
Brivo Access Control Systems	CVE-2023-6259	Local Access to Sensitive Data	Models ACS100, ACS300. Models ACS6000 and ACSSDC may also be affected.
Brivo Access Control Systems	CVE-2023-6260	Web UI OS Command Injection	Versions from 5.2.4 but before 6.2.4.3. Versions prior to 5.2.4 may also be affected.
Quest Coexistence Manager for Notes	CVE-2025-12874	HTTP Request Smuggling in Quest Coexistence Manager for Notes	Quest Coexistence Manager for Notes 3.8.2045
Milner ImageDirector Capture	CVE-2025-58740	Hardcoded Encryption Key Enables Database Credential Access in Milner ImageDirector	Milner ImageDirector Capture from 7.0.9 but before 7.6.3.25808. Versions prior to 7.0.9 may also be affected.
Milner ImageDirector Capture	CVE-2025-58741	Insecure Masked Credential Fields Enable Database Credential Access in Milner ImageDirector Capture	Milner ImageDirector Capture from 7.0.9 but before 7.6.3.25808. Versions prior to 7.0.9 may also be affected.
Milner ImageDirector Capture	CVE-2025-58742	Insufficient Configuration Protections Enable Database Credential Interception in Milner ImageDirector Capture	Milner ImageDirector Capture from 7.0.9 but before 7.6.3.25808. Versions prior to 7.0.9 may also be affected.
Milner ImageDirector Capture	CVE-2025-58743	Insecure Encryption Algorithm Enables Brute-Force of Database Credentials in Milner ImageDirector Capture	Milner ImageDirector Capture from 7.0.9 but before 7.6.3.25808. Versions prior to 7.0.9 may also be affected.
Milner ImageDirector Capture	CVE-2025-58744	Hard-Coded Default Credentials Enable Document Archive Decryption in Milner ImageDirector Capture	Milner ImageDirector Capture from 7.0.9 but before 7.6.3.25808. Versions prior to 7.0.9 may also be affected.

Security Risk Advisors Intl, LLC – Disclosure Policy

Mon, 01 Jan 0001 00:00:00 +0000

This policy outlines how Security Risk Advisors (SRA) handle responsible vulnerability disclosure to product vendors, security vendors, and the public.

Notification

Once a vulnerability has been identified and confirmed through our own research and/or services, we will notify the product vendor of a security flaw within their product or service. SRA will make three (3) attempts to reach the vendor through formal methods (e.g., email, phone, disclosure portals). After each of these attempts, SRA will give the vendor 5 days to acknowledge and respond.

Email messages will originate from advisories@sra.io.

Disclosure

If SRA exhausts all reasonable means to contact a vendor, then SRA may issue a public advisory disclosing its findings thirty (30) days after the initial contact.

If a response is received, SRA will allow the vendor 3-months (90 days) to address the flaw with a security patch or other corrective measure. During this time, it is expected that the vendor maintains open communication with SRA and provide regular updates to the status of the remediation/patch. The vendor is encouraged to provide credit to SRA and the individuals that identified the vulnerability (e.g., “Credit to [Researcher] from Security Risk Advisors for identifying and responsibly disclosing the vulnerability to [vendor]”).

Last Modified: Q2 2023