Description
Ecommerce Systempay 1.0 contains a weak cryptographic implementation vulnerability that allows attackers to brute force the 16-character production secret key used for payment signature generation. Attackers can extract payment form data and signatures from POST requests to the payment endpoint, then use SHA1 hash comparison to iteratively test key candidates until discovering the correct production key, enabling them to forge valid payment signatures and manipulate transaction amounts.
Published: 2026-05-13
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a weak cryptographic implementation in Ecommerce Systempay 1.0 that allows an attacker to brute force the 16‑character production secret key used for payment signature generation. By capturing POST requests to the payment endpoint, an adversary can iteratively test key candidates against SHA1 hash comparisons until the correct key is found, enabling them to forge valid payment signatures and alter transaction amounts. This flaw represents a classic use‑after‑key compromise (CWE‑328) that directly jeopardises the integrity and authenticity of payment transactions.

Affected Systems

The affected product is Paiement: Ecommerce Systempay version 1.0. Any deployment of this version is susceptible; no additional sub‑version information is provided.

Risk and Exploitability

The CVSS score of 9.3 reflects a high‑risk scenario. Although a specific EPSS score is not available, the exploit requires only remote interaction with the payment endpoint, which is typically exposed over HTTP/S. The vulnerability is not listed in CISA KEV, but the lack of rate limiting or key hardening makes brute‑force attempts feasible. Once the key is recovered, an attacker can autonomously forge transaction signatures and manipulate payment amounts.

Generated by OpenCVE AI on May 13, 2026 at 16:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a patched version of Ecommerce Systempay that removes the weak secret‑key implementation.
  • Implement rate limiting or a lockout policy on payment signature verification to make brute‑forcing impractical.
  • Where upgrade is not immediately possible, restrict access to the production key by storing it in a secure, non‑exposable mechanism such as an HSM and moving to a modern cryptographic algorithm like HMAC‑SHA256 for signature generation.
  • Actively monitor transaction logs for anomalous fund transfers and signature patterns.

Generated by OpenCVE AI on May 13, 2026 at 16:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 14 May 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Paiement
Paiement ecommerce Systempay
Vendors & Products Paiement
Paiement ecommerce Systempay

Thu, 14 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 13 May 2026 15:15:00 +0000

Type Values Removed Values Added
Description Ecommerce Systempay 1.0 contains a weak cryptographic implementation vulnerability that allows attackers to brute force the 16-character production secret key used for payment signature generation. Attackers can extract payment form data and signatures from POST requests to the payment endpoint, then use SHA1 hash comparison to iteratively test key candidates until discovering the correct production key, enabling them to forge valid payment signatures and manipulate transaction amounts.
Title Ecommerce Systempay 1.0 Production Key Brute Force
Weaknesses CWE-328
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Paiement Ecommerce Systempay
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-14T13:35:20.830Z

Reserved: 2026-02-06T12:30:34.927Z

Link: CVE-2020-37168

cve-icon Vulnrichment

Updated: 2026-05-14T13:35:16.947Z

cve-icon NVD

Status : Deferred

Published: 2026-05-13T16:16:31.720

Modified: 2026-05-13T17:07:21.030

Link: CVE-2020-37168

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T14:34:24Z

Weaknesses