CVE-2018-25361

high

Description

Soroush IM Desktop App 0.17.0 contains an authentication bypass vulnerability that allows local attackers to remove passcodes by injecting pre-encrypted database entries using a constant encryption key. Attackers can inject malicious database records into the application's database files to unlock the client and access all stored data, chats, images, and files without knowing the original passcode.

References

https://www.vulncheck.com/advisories/soroush-im-desktop-app-authentication-bypass-via-database-injection

https://www.exploit-db.com/exploits/45171

https://soroush-app.ir

http://54.36.43.176/SoroushSetup0.17.0.exe

Details

Source: Mitre, NVD

Published: 2026-05-25

Updated: 2026-05-26

Risk Information

CVSS v2

Base Score: 5.6

Vector: CVSS2#AV:L/AC:L/Au:N/C:C/I:P/A:N

Severity: Medium

CVSS v3

Base Score: 6.8

Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

Severity: Medium

CVSS v4

Base Score: 7

Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

Severity: High

EPSS

EPSS: 0.00013