Key Information CVE Number: CVE-2025-52373 Description: Hardcoded encryption key in BlowFish.cpp allows attackers to decrypt passwords used in database connection strings. Vulnerability Type: Hardcoded Encryption Key (CVE-321) Vendor: hMailServer Affected Product Versions: hMailServer - 5.8.6, 5.6.9-beta Affected Components: hMailServer/source/Server/Common/Util/BlowFish.cpp, hMailServer.ini Attack Type: Local Information Disclosure Impact: true Attack Vector: Attackers can simply modify existing functions in the source code to decrypt passwords used in SQL server connection strings. References hMailServer Exploit Generic Exploit Blog Post Application Discoverer Eli Samara Detailed Explanation Hardcoded password settings located in at line 20 and line 29. Uses hardcoded key to encrypt database passwords. Python script provided to decrypt hardcoded passwords.