Critical Hard-Coded Encryption Key Vulnerability in Apache StreamPark
A critical vulnerability, tracked as CVE-2025-54947, was discovered in Apache StreamPark, a widely used stream-processing platform. The flaw arises from the use of a hard-coded encryption key and insecure AES ECB mode, allowing attackers to decrypt sensitive data, forge authentication tokens, and potentially gain unauthorized access to affected systems. The vulnerability impacts versions 2.0.0 through 2.1.7, exposing organizations to significant risks of information disclosure and privilege escalation if left unpatched.
The Apache StreamPark development team has addressed the issue by releasing version 2.1.7, which eliminates the hard-coded key vulnerability. Security experts strongly advise organizations to upgrade to the latest version immediately and conduct thorough security audits of their StreamPark deployments to identify and mitigate any potential compromise resulting from this flaw. Failure to patch could allow threat actors to manipulate system behavior or escalate privileges within enterprise environments relying on StreamPark for real-time data processing.
Timeline
Dec 15, 2025
Apache StreamPark 2.1.7 released to address the vulnerability
The Apache StreamPark team released version 2.1.7 to fix CVE-2025-54947 and advised users to upgrade immediately. Reporting also recommended auditing affected environments for possible data exposure and reviewing key management practices.
Dec 15, 2025
Apache StreamPark flaw identified as CVE-2025-54947
A vulnerability affecting Apache StreamPark versions 2.0.0 through 2.1.7 was identified, caused by a hard-coded cryptographic key and use of insecure AES ECB mode. The issue could allow attackers to decrypt sensitive data and forge authentication tokens, leading to unauthorized access or privilege escalation.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Organizations
Sources
Related Stories
Privilege Escalation Vulnerability in Apache StreamPipes (CVE-2025-47411)
A critical privilege escalation vulnerability, tracked as CVE-2025-47411, was discovered in Apache StreamPipes versions 0.69.0 through 0.97.0. The flaw allows legitimate non-administrator users to manipulate JWT tokens and escalate their privileges by swapping their username for an existing administrator account, thereby gaining full administrative control of the application. This vulnerability stems from a flawed user ID creation mechanism and poses significant risks, as attackers can bypass access controls without advanced technical skills or external tools. Once administrative access is obtained, attackers can access sensitive data, modify system configurations, and potentially compromise the entire data streaming infrastructure. The vulnerability is particularly concerning for organizations using StreamPipes to process proprietary or operational data, and it introduces supply chain risks if integrated with critical business systems. Apache has addressed the issue by releasing version 0.98.0, urging all affected users to update immediately to mitigate the risk.
1 months ago
Critical RCE Vulnerability in Apache ActiveMQ NMS AMQP Client
A critical remote code execution (RCE) vulnerability, identified as CVE-2025-54539, has been discovered in the Apache ActiveMQ NMS AMQP Client. This flaw is rated with a CVSS 3.1 score of 9.8, indicating its severe impact and ease of exploitation. The vulnerability arises from the deserialization of untrusted data within the NMS AMQP Client component, which can allow attackers to execute arbitrary code on the server. Security researchers have confirmed that successful exploitation of this vulnerability could lead to full server-side code execution, potentially granting attackers complete control over affected systems. The issue specifically affects deployments using the NMS AMQP Client, a component commonly integrated into enterprise messaging infrastructures. Organizations relying on Apache ActiveMQ for message brokering are at heightened risk if they utilize the vulnerable client library. The vulnerability can be exploited remotely, requiring no prior authentication, which significantly increases the attack surface and urgency for remediation. Security advisories recommend immediate patching or mitigation to prevent exploitation in the wild. The flaw was publicly disclosed on October 16, 2025, prompting rapid response from the Apache ActiveMQ development team and the broader security community. No reports of active exploitation have been confirmed at the time of disclosure, but the critical nature of the bug has led to widespread concern among enterprise users. Technical analysis indicates that the vulnerability stems from improper handling of serialized objects received over the AMQP protocol. Attackers can craft malicious payloads that, when processed by the vulnerable client, trigger arbitrary code execution. The Apache Software Foundation has released updated versions of the NMS AMQP Client to address the issue and urges all users to upgrade immediately. Security experts highlight the importance of reviewing all systems for the presence of the affected library and applying compensating controls where patching is not immediately feasible. The vulnerability underscores the ongoing risks associated with deserialization flaws in widely used open-source components. Organizations are advised to monitor for indicators of compromise and to review their application architectures for similar risks. The incident serves as a reminder of the critical need for secure coding practices and regular vulnerability management in enterprise environments.
1 months ago
Active Exploitation of Gladinet CentreStack and Triofox Cryptographic Flaw Enables Remote Code Execution
Attackers are actively exploiting a critical cryptographic vulnerability in Gladinet's CentreStack and Triofox products, which are used for secure remote file access and sharing. The flaw stems from the use of hard-coded cryptographic keys within the `GladCtrl64.dll` component, allowing threat actors to decrypt or forge access tickets and gain unauthorized access to sensitive files, including `web.config`. This access can be leveraged to obtain machine keys and achieve remote code execution via ViewState deserialization. Security researchers from Huntress have observed at least nine organizations targeted by these attacks, with exploitation occurring in the wild and Gladinet issuing advisories and updates to mitigate the risk. The vulnerability is rooted in a custom implementation of the AES algorithm, where static 100-byte strings are used to derive encryption keys and initialization vectors, making them identical across all installations. Attackers can craft malicious requests to the `/storage/filesvr.dn` endpoint, bypassing authentication and impersonating users. Gladinet has provided indicators of compromise (IoCs) and urged customers to update to the latest versions released on November 29. The attacks highlight the risks of insecure cryptographic practices and the importance of timely patching in enterprise environments.
1 months ago