Summary
SRA has identified multiple vulnerabilities in Milner ImageDirector Capture that can lead to database access, credential access, database credential interception, and decryption of document archives.
CVE Identifiers
| CVE ID | CVE NAME |
| CVE-2025-58740 | Hardcoded Encryption Key Enables Database Credential Access in Milner ImageDirector |
| CVE-2025-58741 | Insecure Masked Credential Fields Enable Database Credential Access in Milner ImageDirector Capture |
| CVE-2025-58742 | Insufficient Configuration Protections Enable Database Credential Interception in Milner ImageDirector Capture |
| CVE-2025-58743 | Insecure Encryption Algorithm Enables Brute-Force of Database Credentials in Milner ImageDirector Capture |
| CVE-2025-58744 | Hard-Coded Default Credentials Enable Document Archive Decryption in Milner ImageDirector Capture |
Vulnerability Details / Description
CVE-2025-58740: Hardcoded Encryption Key Enables Database Credential Access in Milner ImageDirector
The Milner ImageDirector Capture application is vulnerable to credential exposure due to a hardcoded encryption key. The application stores a static cryptographic key within the C2SGlobalSettings.dll executable that encrypts database credentials. SRA identified this vulnerability by reverse engineering the Password function within the DLL, which revealed the hardcoded key used for credential encryption. An attacker can extract this key through static analysis of the executable and subsequently decrypt database credentials stored by the application at rest
Severity
The CVSS base score of this vulnerability has been calculated to be 8.5 (High)
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H
CVE-2025-58741: Insecure Masked Credential Fields Enable Database Credential Access in Milner ImageDirector Capture
The Milner ImageDirector Capture application is vulnerable to credential disclosure through memory analysis. The Connection Settings dialog stores database credentials in plaintext within application memory, including masked password fields that appear obfuscated in the user interface. SRA identified this vulnerability by opening the Connection Settings dialog and performing memory analysis using BulletsPassView on the running application process. The tool successfully extracted plaintext database usernames and passwords directly from process memory, despite the password field appearing masked with asterisks in the interface. The credentials remain accessible in memory for the duration that the dialog window stays open.
Severity
The CVSS base score of this vulnerability has been calculated to be 8.5 (High)
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H
CVE-2025-58742: Insufficient Configuration Protections Enable Database Credential Interception in Milner ImageDirector Capture
The Milner ImageDirector Capture application is vulnerable to credential interception through server redirection attacks. The Connection Settings dialog allows users to modify the database server address without clearing stored credentials, enabling an attacker to redirect authentication attempts to a malicious server. SRA identified this vulnerability by modifying the ‘Server’ field in the Connection Settings dialog to point to an attacker-controlled database server. When the application attempts to authenticate using the stored credentials, it transmits the username and password to the specified server address, allowing the attacker’s server to capture the plaintext authentication data. The application does not validate server certificates or implement additional protections against server redirection attacks.
Severity
The CVSS base score of this vulnerability has been calculated to be 8.5 (High)
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H
CVE-2025-58743: Insecure Encryption Algorithm Enables Brute-Force of Database Credentials in Milner ImageDirector Capture
The Milner ImageDirector Capture application is vulnerable to credential exposure through weak cryptographic implementation. The Password class within C2SConnections.dll uses the deprecated Data Encryption Standard (DES) algorithm to encrypt database credentials stored locally. SRA identified this vulnerability by reverse engineering the Password class and analyzing the cryptographic functions, which revealed the use of 56-bit DES encryption with a static initialization vector. The weak key length and algorithm design make encrypted credentials susceptible to brute-force attacks using modern computational resources.
Severity
The CVSS base score of this vulnerability has been calculated to be 7.2 (High)
CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:L/VA:H/SC:H/SI:H/SA:H
CVE-2025-58744: Hard-Coded Default Credentials Enable Document Archive Decryption in Milner ImageDirector Capture
The Milner ImageDirector Capture application is vulnerable to document decryption through hardcoded default credentials. The C2SGlobalSettings.dll contains a static “DelayedTransmissionPassword” that encrypts archived documents stored by the application. SRA identified this vulnerability by reverse engineering the C2SGlobalSettings.dll and locating the hardcoded password string within the compiled binary. The application uses this default password to encrypt document archives when users do not specify a custom delayed transmission password. An attacker can extract this hardcoded credential through static analysis and use it to decrypt any document archives encrypted with the default password, bypassing the intended document protection mechanisms.
Severity
The CVSS base score of this vulnerability has been calculated to be 6.9 (Medium)
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Affected Versions
Milner ImageDirector Capture from 7.0.9 but before 7.6.3.25808. Versions prior to 7.0.9 may also be affected.
MITRE CWE Weakness Enumeration
CVE-2025-58740
- CWE-321: Use of Hard-coded Cryptographic Key
CVE-2025-58741
- CWE-522: Insufficiently Protected Credentials
CVE-2025-58742
- CWE-522: Insufficiently Protected Credentials
- CWE-923: Improper Restriction of Communication Channel to Intended Endpoints
CVE-2025-58743
- CWE-327: Use of a Broken or Risky Cryptographic Algorithm
CVE-2025-58744
- CWE-1392: Use of Default Credentials
- CWE-798: Use of Hard-coded Credentials
Remediation Options
Update Milner ImageDirector Capture to 7.6.3.25808 or later.
Source
These vulnerabilities were discovered by Asa Reynolds and Rick Console as part of research performed by Security Risk Advisors.
Timeline
October 15-23, 2025 – SRA attempts to establish contact with Milner to disclose vulnerabilities.
November 04, 2025 – Milner acknowledges vulnerabilities and intent to fix.
December 31, 2025 – Milner releases ImageDirector Capture 7.6.3.25808.
January 20, 2026 – SRA publishes CVEs and advisory.