CVE-2026-39031 in lsrunase
Summary
by MITRE • 06/27/2026
Lansweeper lsrunase 2.0 and lsencrypt 2.0 use RC4 encryption with a hardcoded 142-byte static key array to encrypt credentials. An 8-character prefix is stored in cleartext alongside the ciphertext. This allows an attacker with local access to recover any encrypted password to plaintext using a single SHA-1 hash and RC4 decryption operation, with no brute force required.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 06/27/2026
The vulnerability identified in Lansweeper lsrunase 2.0 and lsencrypt 2.0 represents a critical cryptographic flaw that fundamentally undermines the security of credential storage mechanisms. This weakness stems from the implementation of RC4 encryption with a hardcoded static key array of 142 bytes, which creates an inherent predictability that eliminates any meaningful cryptographic protection for sensitive information. The use of RC4 algorithm in this context is particularly concerning as it has been widely deprecated due to numerous cryptographic weaknesses and vulnerabilities. The security model relies on the assumption that the encryption key remains secret, yet the hardcoded nature of the key in the software ensures that any attacker with local access can obtain the complete key material without requiring any computational resources or time-consuming attacks.
The technical implementation details reveal a particularly dangerous pattern where an 8-character prefix is stored in cleartext alongside the encrypted credentials, creating what is effectively a known-plaintext attack vector. This design decision significantly reduces the effective entropy of the encryption scheme and provides attackers with crucial information needed to perform successful decryption operations. The combination of the hardcoded key array and the cleartext prefix creates a scenario where only a single SHA-1 hash computation followed by RC4 decryption is required to recover plaintext passwords. This eliminates any need for brute force attacks, dictionary attacks, or other computationally intensive methods that would normally be required to break encryption schemes.
From an operational impact perspective, this vulnerability creates immediate and severe consequences for organizations using Lansweeper systems, as it allows local attackers to obtain complete access to all stored credentials without requiring any specialized tools or extensive computational resources. The attack surface is expanded due to the nature of the hardcoded key, which means that even if systems are properly secured against external attacks, local privilege escalation or insider threats can immediately compromise all credential data. This vulnerability directly violates fundamental security principles outlined in standards such as CWE-327, which specifically addresses the use of weak cryptographic algorithms like RC4, and CWE-310, which covers cryptographic weaknesses in key management. The vulnerability also aligns with ATT&CK technique T1552.001 for "Unsecured Credentials" and T1078.004 for "Valid Accounts" as it enables unauthorized access to legitimate user credentials.
The implications of this vulnerability extend beyond simple credential theft, as it provides attackers with a mechanism that requires no special cryptographic knowledge or advanced tools to exploit successfully. The complete absence of any brute force requirements makes this attack particularly attractive for threat actors who may not possess significant computational resources or specialized expertise in cryptanalysis. Organizations implementing Lansweeper solutions face immediate risk of credential compromise, potential lateral movement within their networks, and possible unauthorized access to sensitive systems and data that rely on the protected credentials. The vulnerability demonstrates a fundamental failure in secure coding practices and cryptographic implementation, as it shows poor understanding of basic security principles regarding key management, algorithm selection, and proper encryption implementation.
Recommended mitigations for this vulnerability include immediate replacement of the hardcoded RC4 encryption with modern, cryptographically secure algorithms such as AES-256, proper implementation of key derivation functions like PBKDF2 or scrypt, and elimination of cleartext prefixes that could aid attackers in their decryption efforts. System administrators should implement strict access controls to prevent local privilege escalation and ensure that encryption keys are not embedded within software binaries. Organizations must also conduct comprehensive audits of all cryptographic implementations within their systems to identify similar vulnerabilities that may exist in other applications or services. The remediation process should include complete removal of the hardcoded key material from the software distribution and implementation of proper key management practices that align with industry standards such as NIST SP 800-57 for cryptographic key management and ISO/IEC 15408 for security assurance.