CVE-2018-25361

medium

Published 2026-05-25 · Modified 2026-05-26

CVSS v3

6.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

CVSS v2

—

VIR risk

6.8

Description

Soroush IM Desktop App 0.17.0 contains an authentication bypass vulnerability that allows local attackers to remove passcodes by injecting pre-encrypted database entries using a constant encryption key. Attackers can inject malicious database records into the application's database files to unlock the client and access all stored data, chats, images, and files without knowing the original passcode.

Predictions

Exploit likelihood

67%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No vendor mitigations ingested yet for this CVE. The mitigation-content worker queues fetches as references arrive — check back in a few minutes, or see the references list below.

References

https://www.exploit-db.com/exploits/45171
https://soroush-app.ir
http://54.36.43.176/SoroushSetup0.17.0.exe
https://www.vulncheck.com/advisories/soroush-im-desktop-app-authentication-bypass-via-database-injection

CWEs

CWE-290

Verify integrity in audit chain (admin only). AS-IS.