CVE-2018-25361 in IM Desktop App
Summary
by MITRE • 05/26/2026
Soroush IM Desktop App 0.17.0 contains an authentication bypass vulnerability that allows local attackers to remove passcodes by injecting pre-encrypted database entries using a constant encryption key. Attackers can inject malicious database records into the application's database files to unlock the client and access all stored data, chats, images, and files without knowing the original passcode.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 05/26/2026
This vulnerability represents a critical authentication bypass flaw in the Soroush IM Desktop application version 0.17.0 that fundamentally compromises the security model of the client-side encryption mechanism. The weakness stems from the application's improper handling of database encryption where a constant encryption key is used throughout the application lifecycle, creating a predictable cryptographic vulnerability that allows local attackers to manipulate the underlying database structure directly. The vulnerability manifests when attackers can inject pre-encrypted database entries that bypass the normal authentication flow, effectively enabling them to unlock the client application without possessing the original passcode.
The technical implementation of this flaw demonstrates poor cryptographic practices that align with CWE-327, which addresses the use of weak or broken cryptographic algorithms and implementation flaws. The application's reliance on a constant encryption key for database entries violates fundamental security principles and creates a scenario where attackers can craft malicious database records that appear legitimate to the application's validation mechanisms. This vulnerability operates at the data layer where the application stores encrypted user data, making it particularly dangerous as it allows unauthorized access to sensitive information including chats, images, and files that were ostensibly protected by the passcode-based authentication system.
From an operational perspective, this vulnerability creates a severe risk for users who store sensitive communications and personal data within the Soroush IM Desktop application. The local attack vector means that any user with access to the system can exploit this weakness without requiring network connectivity or external attack vectors. The impact extends beyond simple unauthorized access to include potential data exfiltration, privacy violations, and compromise of communications that users believed to be secure. This vulnerability particularly affects users who rely on the application for confidential business communications or personal privacy, as the attacker can effectively bypass all client-side security measures.
The exploitation of this vulnerability requires minimal technical expertise and can be accomplished through database manipulation techniques that leverage the predictable encryption key. Attackers can inject malicious entries into the application's database files using tools that can manipulate SQLite or similar database formats commonly used by desktop applications. This type of attack pattern aligns with ATT&CK technique T1566 which covers credential access through manipulation of authentication systems. The vulnerability also demonstrates poor security architecture where the application fails to implement proper integrity checks or authentication verification mechanisms for database entries, allowing attackers to inject malicious data that can be processed as legitimate information.
Mitigation strategies should focus on implementing proper cryptographic practices including the use of unique encryption keys per user session or device, along with proper database integrity verification mechanisms. The application should implement key derivation functions with proper salt values and avoid hardcoding encryption keys. Security measures should include database entry validation, integrity checking, and proper access controls that prevent unauthorized modifications to the database structure. Additionally, the application should implement proper session management and authentication verification that cannot be bypassed through simple database injection techniques. Organizations using this application should immediately update to versions that address the cryptographic implementation flaws and consider implementing additional security monitoring to detect unauthorized database modifications.