Posts on SRA Labs

Milner ImageDirector Capture

Tue, 20 Jan 2026 12:00:00 +0000

Summary

SRA has identified multiple vulnerabilities in Milner ImageDirector Capture that can lead to database access, credential access, database credential interception, and decryption of document archives.

CVE Identifiers

CVE ID	CVE Name
CVE-2025-58740	Hardcoded Encryption Key Enables Database Credential Access in Milner ImageDirector
CVE-2025-58741	Insecure Masked Credential Fields Enable Database Credential Access in Milner ImageDirector Capture
CVE-2025-58742	Insufficient Configuration Protections Enable Database Credential Interception in Milner ImageDirector Capture
CVE-2025-58743	Insecure Encryption Algorithm Enables Brute-Force of Database Credentials in Milner ImageDirector Capture
CVE-2025-58744	Hard-Coded Default Credentials Enable Document Archive Decryption in Milner ImageDirector Capture

Vulnerability Details / Description

CVE-2025-58740: Hardcoded Encryption Key Enables Database Credential Access in Milner ImageDirector

The Milner ImageDirector Capture application is vulnerable to credential exposure due to a hardcoded encryption key. The application stores a static cryptographic key within the C2SGlobalSettings.dll executable that encrypts database credentials. SRA identified this vulnerability by reverse engineering the Password function within the DLL, which revealed the hardcoded key used for credential encryption. An attacker can extract this key through static analysis of the executable and subsequently decrypt database credentials stored by the application at rest

Severity

The CVSS base score of this vulnerability has been calculated to be 8.5 (High)

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H

CVE-2025-58741: Insecure Masked Credential Fields Enable Database Credential Access in Milner ImageDirector Capture

The Milner ImageDirector Capture application is vulnerable to credential disclosure through memory analysis. The Connection Settings dialog stores database credentials in plaintext within application memory, including masked password fields that appear obfuscated in the user interface. SRA identified this vulnerability by opening the Connection Settings dialog and performing memory analysis using BulletsPassView on the running application process. The tool successfully extracted plaintext database usernames and passwords directly from process memory, despite the password field appearing masked with asterisks in the interface. The credentials remain accessible in memory for the duration that the dialog window stays open.

Severity

The CVSS base score of this vulnerability has been calculated to be 8.5 (High)

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H

CVE-2025-58742: Insufficient Configuration Protections Enable Database Credential Interception in Milner ImageDirector Capture

The Milner ImageDirector Capture application is vulnerable to credential interception through server redirection attacks. The Connection Settings dialog allows users to modify the database server address without clearing stored credentials, enabling an attacker to redirect authentication attempts to a malicious server. SRA identified this vulnerability by modifying the ‘Server’ field in the Connection Settings dialog to point to an attacker-controlled database server. When the application attempts to authenticate using the stored credentials, it transmits the username and password to the specified server address, allowing the attacker’s server to capture the plaintext authentication data. The application does not validate server certificates or implement additional protections against server redirection attacks.

Severity

The CVSS base score of this vulnerability has been calculated to be 8.5 (High)

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H

CVE-2025-58743: Insecure Encryption Algorithm Enables Brute-Force of Database Credentials in Milner ImageDirector Capture

The Milner ImageDirector Capture application is vulnerable to credential exposure through weak cryptographic implementation. The Password class within C2SConnections.dll uses the deprecated Data Encryption Standard (DES) algorithm to encrypt database credentials stored locally. SRA identified this vulnerability by reverse engineering the Password class and analyzing the cryptographic functions, which revealed the use of 56-bit DES encryption with a static initialization vector. The weak key length and algorithm design make encrypted credentials susceptible to brute-force attacks using modern computational resources.

Severity

The CVSS base score of this vulnerability has been calculated to be 7.2 (High)

CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:L/VA:H/SC:H/SI:H/SA:H

CVE-2025-58744: Hard-Coded Default Credentials Enable Document Archive Decryption in Milner ImageDirector Capture

The Milner ImageDirector Capture application is vulnerable to document decryption through hardcoded default credentials. The C2SGlobalSettings.dll contains a static “DelayedTransmissionPassword” that encrypts archived documents stored by the application. SRA identified this vulnerability by reverse engineering the C2SGlobalSettings.dll and locating the hardcoded password string within the compiled binary. The application uses this default password to encrypt document archives when users do not specify a custom delayed transmission password. An attacker can extract this hardcoded credential through static analysis and use it to decrypt any document archives encrypted with the default password, bypassing the intended document protection mechanisms.

Severity

The CVSS base score of this vulnerability has been calculated to be 6.9 (Medium)

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Affected Versions and Models

Milner ImageDirector Capture from 7.0.9 but before 7.6.3.25808. Versions prior to 7.0.9 may also be affected.

MITRE CWE Weakness Enumeration

CVE-2025-58740

CWE-321: Use of Hard-coded Cryptographic Key

CVE-2025-58741

CWE-522: Insufficiently Protected Credentials

CVE-2025-58742

CWE-522: Insufficiently Protected Credentials
CWE-923: Improper Restriction of Communication Channel to Intended Endpoints

CVE-2025-58743

CWE-327: Use of a Broken or Risky Cryptographic Algorithm

CVE-2025-58744

CWE-1392: Use of Default Credentials
CWE-798: Use of Hard-coded Credentials

Remediation Options

Update Milner ImageDirector Capture to 7.6.3.25808 or later.

Source

These vulnerabilities were discovered by Asa Reynolds and Rick Console as part of research performed by Security Risk Advisors.

Timeframe

October 15-23, 2025 – SRA attempts to establish contact with Milner to disclose vulnerabilities.
November 04, 2025 – Milner acknowledges vulnerabilities and intent to fix.
December 31, 2025 – Milner releases ImageDirector Capture 7.6.3.25808.
January 20, 2026 – SRA publishes CVEs and advisory.

Quest Coexistence Manager for Notes

Fri, 19 Dec 2025 12:00:00 +0000

Summary

SRA has identified a vulnerability in Quest Coexistence Manager for Notes that can lead to bypassing access controls, poisoning web caches, hijacking sessions, or triggering unintended internal requests.

CVE Identifiers

CVE ID	CVE Name
CVE-2025-12874	HTTP Request Smuggling in Quest Coexistence Manager for Notes

Vulnerability Details / Description

Quest Coexistence Manager for Notes (3.8.2045) is vulnerable in the Free/Busy Connector to HTTP request smuggling from an unauthenticated remote attacker. The front-end and back-end components rely on inconsistent header parsing, resulting in desynchronized request boundaries. In this case, the front-end server uses the Content-Length header to determine the end of the request body, forwarding the full request. The back-end server interprets the request using Transfer-Encoding: chunked, processing only the first chunk (declared as zero-length) and treating the remaining bytes as a new, separate request. The attacker embeds a second, hidden request in the body of the original message. Due to the parsing mismatch, this smuggled request is processed independently by the back-end server.

Severity

The CVSS base score of this vulnerability has been calculated to be 6.3 (Medium).

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/U:Clear

Affected Versions and Models

Quest Coexistence Manager for Notes 3.8.2045

MITRE CWE Weakness Enumeration

CWE-444: Inconsistent Interpretation of HTTP Requests

Remediation Options

Update Quest Coexistence Manager for Notes to latest version.

Source

This vulnerability was discovered by Cam Lischke as part of research performed by Security Risk Advisors.

Timeframe

November 3, 2025 – SRA submits vulnerability support case to Quest.
November 4 through November 7, 2025 – SRA submits details of vulnerability to Quest.
December 9, 2025 – SRA notifies Quest of intent to publicly disclose.
December 12, 2025 – Quest acknowledges intent to publicly disclose.
December 17, 2025 – Quest notifies SRA of intent to create a knowledge base article for Quest Support Portal

Brivo Access Control Systems

Mon, 19 Feb 2024 12:00:00 +0000

Summary

SRA has identified multiple vulnerabilities in Brivo Access Control Systems that can lead to the disclosure of sensitive system data and allow degradation or bypass of critical system functions.

CVE Identifiers

CVE ID	CVE Name
CVE-2023-6259	Local Access to Sensitive Data
CVE-2023-6260	Web UI OS Command Injection

Vulnerability Details / Description

CVE-2023-6259 – Local Access to Sensitive Data

An attacker with physical access to the ACS100 or ACS300 devices can access sensitive data from device memory that can be used to conduct additional attacks.

Severity

The CVSS severity level of this vulnerability has been calculated to be 7.1 (High)

CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CVE-2023-6260 – Web UI OS Command Injection

ACS300 (Physical Access)

An attacker with physical access to ACS300 devices can perform a command injection attack via the web UI and gain access to sensitive data that can be used to conduct additional attacks.

Severity

The CVSS base score of this vulnerability has been calculated to be 7.4 (High) for the physical access scenario:

CVSS:3.0/AV:P/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

ACS100 (Adjacent Network Access)

An attacker with local network access to ACS100 devices can perform a command injection attack via the web UI and gain access to sensitive data that can be used to conduct additional attacks.

Severity

The CVSS severity level of this vulnerability has been calculated to be 9.0 (High) for the adjacent network access scenario:

CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Affected Versions and Models

Affects models ACS100, ACS300. Models ACS6000 and ACSSDC may also be affected.

Severity

Affects firmware versions from 5.2.4 but before 6.2.4.3. Versions prior to 5.2.4 may also be affected.

MITRE CWE Weakness Enumeration

CWE-284: Improper Access Control

CWE-522: Insufficiently Protected Credentials

CWE-77: Improper Neutralization of Special Elements used in a Command (‘Command Injection’)

Remediation Options

Update affected devices to firmware version 6.2.4.3. Contact Brivo or your reseller for more information.

Source

These vulnerabilities were discovered by Alexandra Grochal and Gabe Siftar, as part of a research initiative for Security Risk Advisors’ internal hardware penetration testing team.

Timeframe

October 9, 2023 – SRA attempts initial contact with Brivo.
November 9, 2023 – SRA shares vulnerability details with Brivo’s product security team.
November 29, 2023 – SRA reserves CVE IDs.
December 15, 2023 – Brivo releases fix to production.