Key Information Vulnerability ID CVE-2025-52374 Vulnerability Description Hardcoded encryption key in allows attackers to decrypt passwords and gain access to other servers. Vulnerability Type CWE-321: Use of Hard-coded Cryptographic Key Product Vendor hMailServer Affected Product Versions hMailServer - 5.8.6, 5.6.9-beta Affected Components , Attack Type Local Impact Information Disclosure: TRUE Attack Vector Attackers can use the encryption key and IV derived from hardcoded salt and password to decrypt passwords that were encrypted using the same Cfunction as the source code. Reference Links hMailServer Exploit: GitHub Generic Exploit: GitHub Blog Post: mojibake.dev Application: hMailServer GitHub Discoverer Eli Samara Detailed Explanation Passwords are encrypted when creating a new server connection. A hardcoded key is used for both encryption and decryption. The decryption function can decrypt strings from the tag.