A security vulnerability has been identified in Apache Syncope that could allow attackers to decrypt stored passwords if they gain access to the internal database.
The flaw stems from the use of a hardcoded default AES encryption key, which undermines the password protection mechanism designed to keep sensitive user credentials secure.
The vulnerability affects multiple versions of Apache Syncope, a popular open-source identity and access management (IAM) platform used by organizations worldwide.
| CVE ID | CVE-2025-65998 |
|---|---|
| Product | Apache Syncope |
| Component | org.apache.syncope.core:syncope-core-spring |
| Vulnerability Type | Hardcoded Encryption Key |
| Affected Versions | 2.1.0 – 2.1.14, 3.0.0 – 3.0.14, 4.0.0 – 4.0.2 |
| Severity | Important |
Security researchers from the Technical University of Darmstadt discovered that when AES encryption is configured for password storage, the system defaults to using a hardcoded encryption key embedded directly in the source code, making decryption trivial for attackers with database access.
How the Vulnerability Works
Apache Syncope allows administrators to encrypt user passwords stored in the internal database using AES.
However, this optional security feature is undermined by a critical design flaw. Instead of requiring administrators to configure unique encryption keys, the system uses a default key hard-coded in the application source code.
This means any attacker who obtains access to the database can easily retrieve and decrypt password values, potentially compromising every user account in the system.
It’s important to note that this vulnerability only affects scenarios where administrators have explicitly configured AES encryption for password storage.
The default configuration does not enable this feature. Additionally, plain attributes encrypted with AES are not affected by this issue, as they maintain separate protection mechanisms.
The vulnerability affects three active Apache Syncope version branches. Users running versions 2.1 through 2.1.14, versions 3.0 through 3.0.14, or versions 4.0 through 4.0.2 are vulnerable to this attack.
The Apache Syncope security team announced the vulnerability on November 24, 2025, with a critical severity rating.
The Apache Syncope project has released patched versions that address this security flaw. Users are strongly recommended to upgrade to version 3.0.15 or version 4.0.3, whichever applies to their deployment.
These updates include fixes that eliminate the hardcoded encryption key vulnerability and implement stronger security practices for password encryption.
The security research community appreciates the responsible disclosure efforts by Clemens Bergmann and the Technical University of Darmstadt in identifying and reporting this vulnerability through proper channels before public disclosure.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and set GBH as a Preferred Source in Google.