CVE-2025-58741 on SRA Labs | Cybersecurity Research & Innovation by Security Risk Advisors

Cracking Codes, Capturing Credentials: Five CVEs in Milner ImageDirector Capture

Tue, 05 May 2026 12:00:00 +0000

Summary

SRA encountered Milner ImageDirector Capture, a document scanning application, on a network penetration test. We identified and responsibly disclosed several vulnerabilities in this software. After the vendor provided a patch, we subsequently released five CVEs. This post explains the technical details of each CVE.

Introduction

ImageDirector Capture is a .NET Windows application that manages scanned documents. Users access Capture by logging into one or more endpoint devices. The endpoints store database credentials and authenticate to a central MSSQL database for storage. While individual users can add documents to the server, they should not be able to extract database credentials from the application. We audited Capture’s source code with dnSpy.

Note: we used the sample credential sa:password99 for demonstration purposes.

Spicy Bytes: Hardcoded Encryption Key

Capture uses stored credentials to connect to the database. It stores these credentials in C:\ProgramData\Comsquared\Capture\Connections.config.

Viewing encrypted credentials in Connections.config

It protects these credentials with encryption, but the GetPassword() and SetPassword() functions in C2SGlobalSettings.dll call the Password.Decrypt() function with a hardcoded key.

Observing hardcoded encryption keys in GetPassword and SetPassword functions

Looking at the definition of Password(), we see that the function defaults to a predefined key if it receives no input, and it uses the inline encryption key otherwise. We did not observe any instance where the application used this default key.

Observing default encryption key and override in Password function

After accepting the key as an inline function argument, Password() passes it to InitKey, which splits the input into a key and IV for encryption.

Observing the key initialization process in C2SConnection.dll

The InitKey function is deterministic: all passwords are encrypted with the same key and IV. If an attacker were to extract this key from one installation of ImageDirector Capture, they could decrypt passwords from other deployments.

This finding was assigned CVE-2025-58740.

Taking Off The Mask: Insecure Masked Credential Fields

In the Connection Settings dialog, ImageDirector Capture shows a field with the masked database password. Although the password is masked, it exists in the application’s memory as plaintext. We used the “Bullets Password View” tool from NirSoft to read these credentials.

Notably, we confirmed that the Connection Settings dialog was not vulnerable to this attack when manually launched from the Settings menu within the application. However, it was vulnerable when the application failed to connect to the database on initial load and subsequently loaded Connection Settings. We induced this state by setting the “ServerInstance” value in the program’s Connections.config file to a non-existent server address.

Viewing the masked password in the Connection Settings window

Extracting the database password with BulletsPassView

Deploying relevant meme

This finding was assigned CVE-2025-58741.

I’m The Server, Send Me Your Password: MSSQL Pass-Back

Revisiting the Connection Settings dialog, we wondered what would happen if we changed the Server IP address to a different value: would the application attempt to login? Yes, it would! We were able to extract the database password by pointing ImageDirector Capture at a mitmsqlproxy instance. After clicking Test Connection, the application sent its credentials over the network.

Intercepting database credentials with mitmsqlproxy

This finding was assigned CVE-2025-58742.

Doesn’t Encrypt Securely: DES

When we inspected the encryption function, we found that ImageDirector Capture uses the DES algorithm to encrypt and decrypt data. DES is insecure, and CISA recommends replacing it with a secure algorithm like AES-256.

Viewing DES encryption in the Encrypt function

This finding was assigned CVE-2025-58743.

All Your Backups Are Belong To Us: Hardcoded Credentials

In addition to the hardcoded encryption key for passwords, the application contains a hardcoded password (the DelayedTransmissionPassword), which is used for encrypting and decrypting archive backup files. An attacker with access to encrypted archive files would be able to decrypt the files with the password and extract data.

Viewing the hardcoded password in C2SGlobalSettings.dll

This finding was assigned CVE-2025-58744.

Conclusion

The multiple vulnerabilities in this software illustrate the importance of in-depth testing. We were pleased to see that the vendor took action to promptly remediate these vulnerabilities in response to our disclosure.

Timeframe

October 15-23, 2025 – SRA attempts to establish contact with Milner to disclose vulnerabilities.
November 04, 2025 – Milner acknowledges vulnerabilities and intent to fix.
December 31, 2025 – Milner releases ImageDirector Capture 7.6.3.25808.
January 20, 2026 – SRA publishes CVEs and advisory.

Milner ImageDirector Capture

Tue, 20 Jan 2026 12:00:00 +0000

Summary

SRA has identified multiple vulnerabilities in Milner ImageDirector Capture that can lead to database access, credential access, database credential interception, and decryption of document archives.

CVE Identifiers

CVE ID	CVE Name
CVE-2025-58740	Hardcoded Encryption Key Enables Database Credential Access in Milner ImageDirector
CVE-2025-58741	Insecure Masked Credential Fields Enable Database Credential Access in Milner ImageDirector Capture
CVE-2025-58742	Insufficient Configuration Protections Enable Database Credential Interception in Milner ImageDirector Capture
CVE-2025-58743	Insecure Encryption Algorithm Enables Brute-Force of Database Credentials in Milner ImageDirector Capture
CVE-2025-58744	Hard-Coded Default Credentials Enable Document Archive Decryption in Milner ImageDirector Capture

Vulnerability Details / Description

CVE-2025-58740: Hardcoded Encryption Key Enables Database Credential Access in Milner ImageDirector

The Milner ImageDirector Capture application is vulnerable to credential exposure due to a hardcoded encryption key. The application stores a static cryptographic key within the C2SGlobalSettings.dll executable that encrypts database credentials. SRA identified this vulnerability by reverse engineering the Password function within the DLL, which revealed the hardcoded key used for credential encryption. An attacker can extract this key through static analysis of the executable and subsequently decrypt database credentials stored by the application at rest

Severity

The CVSS base score of this vulnerability has been calculated to be 8.5 (High)

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H

CVE-2025-58741: Insecure Masked Credential Fields Enable Database Credential Access in Milner ImageDirector Capture

The Milner ImageDirector Capture application is vulnerable to credential disclosure through memory analysis. The Connection Settings dialog stores database credentials in plaintext within application memory, including masked password fields that appear obfuscated in the user interface. SRA identified this vulnerability by opening the Connection Settings dialog and performing memory analysis using BulletsPassView on the running application process. The tool successfully extracted plaintext database usernames and passwords directly from process memory, despite the password field appearing masked with asterisks in the interface. The credentials remain accessible in memory for the duration that the dialog window stays open.

Severity

The CVSS base score of this vulnerability has been calculated to be 8.5 (High)

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H

CVE-2025-58742: Insufficient Configuration Protections Enable Database Credential Interception in Milner ImageDirector Capture

The Milner ImageDirector Capture application is vulnerable to credential interception through server redirection attacks. The Connection Settings dialog allows users to modify the database server address without clearing stored credentials, enabling an attacker to redirect authentication attempts to a malicious server. SRA identified this vulnerability by modifying the ‘Server’ field in the Connection Settings dialog to point to an attacker-controlled database server. When the application attempts to authenticate using the stored credentials, it transmits the username and password to the specified server address, allowing the attacker’s server to capture the plaintext authentication data. The application does not validate server certificates or implement additional protections against server redirection attacks.

Severity

The CVSS base score of this vulnerability has been calculated to be 8.5 (High)

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H

CVE-2025-58743: Insecure Encryption Algorithm Enables Brute-Force of Database Credentials in Milner ImageDirector Capture

The Milner ImageDirector Capture application is vulnerable to credential exposure through weak cryptographic implementation. The Password class within C2SConnections.dll uses the deprecated Data Encryption Standard (DES) algorithm to encrypt database credentials stored locally. SRA identified this vulnerability by reverse engineering the Password class and analyzing the cryptographic functions, which revealed the use of 56-bit DES encryption with a static initialization vector. The weak key length and algorithm design make encrypted credentials susceptible to brute-force attacks using modern computational resources.

Severity

The CVSS base score of this vulnerability has been calculated to be 7.2 (High)

CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:L/VA:H/SC:H/SI:H/SA:H

CVE-2025-58744: Hard-Coded Default Credentials Enable Document Archive Decryption in Milner ImageDirector Capture

The Milner ImageDirector Capture application is vulnerable to document decryption through hardcoded default credentials. The C2SGlobalSettings.dll contains a static “DelayedTransmissionPassword” that encrypts archived documents stored by the application. SRA identified this vulnerability by reverse engineering the C2SGlobalSettings.dll and locating the hardcoded password string within the compiled binary. The application uses this default password to encrypt document archives when users do not specify a custom delayed transmission password. An attacker can extract this hardcoded credential through static analysis and use it to decrypt any document archives encrypted with the default password, bypassing the intended document protection mechanisms.

Severity

The CVSS base score of this vulnerability has been calculated to be 6.9 (Medium)

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Affected Versions and Models

Milner ImageDirector Capture from 7.0.9 but before 7.6.3.25808. Versions prior to 7.0.9 may also be affected.

MITRE CWE Weakness Enumeration

CVE-2025-58740

CWE-321: Use of Hard-coded Cryptographic Key

CVE-2025-58741

CWE-522: Insufficiently Protected Credentials

CVE-2025-58742

CWE-522: Insufficiently Protected Credentials
CWE-923: Improper Restriction of Communication Channel to Intended Endpoints

CVE-2025-58743

CWE-327: Use of a Broken or Risky Cryptographic Algorithm

CVE-2025-58744

CWE-1392: Use of Default Credentials
CWE-798: Use of Hard-coded Credentials

Remediation Options

Update Milner ImageDirector Capture to 7.6.3.25808 or later.

Source

These vulnerabilities were discovered by Asa Reynolds and Rick Console as part of research performed by Security Risk Advisors.

Timeframe

October 15-23, 2025 – SRA attempts to establish contact with Milner to disclose vulnerabilities.
November 04, 2025 – Milner acknowledges vulnerabilities and intent to fix.
December 31, 2025 – Milner releases ImageDirector Capture 7.6.3.25808.
January 20, 2026 – SRA publishes CVEs and advisory.