Description
Rapid7 Nexpose versions 6.4.50 and later are vulnerable to an insufficient entropy issue in the CredentialsKeyStorePassword.generateRandomPassword() method. When updating legacy keystore passwords, the application generates a new password with insufficient length (7-12 characters) and a static prefix 'p', resulting in a weak keyspace. An attacker with access to the nsc.ks file can brute-force this password using consumer-grade hardware to decrypt stored credentials.
Published: 2026-02-03
Score: 6.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Credential Exposure
Action: Patch ASAP
AI Analysis

Impact

Rapid7 Nexpose generates new keystore passwords using the generateRandomPassword() method, but the algorithm produces only 7 to 12 character strings that always start with the static prefix 'p'. This minimal entropy creates a very small keyspace, classified as CWE-331. An attacker who can read the nsc.ks file can brute‑force the password on consumer‑grade hardware, decrypting all stored credentials and exposing sensitive data.

Affected Systems

The flaw affects Rapid7 InsightVM and Nexpose versions 6.4.50 and later. Users running any release from 6.4.50 upward are at risk.

Risk and Exploitability

The CVSS score is 6.8, indicating moderate risk. The EPSS score is below 1%, reflecting a low probability of widespread exploitation, and the vulnerability is not listed in CISA's KEV catalog. Exploitation requires read or write access to the nsc.ks file, meaning that local compromise or file‑system mis‑configuration are typical attack conditions. Once the password is recovered by brute‑forcing, the attacker gains immediate access to all credentials stored in that keystore.

Generated by OpenCVE AI on April 18, 2026 at 00:20 UTC.

Remediation

Vendor Solution

InsightVM or Nexpose customers with automatic product updates enabled will receive and process this update when it is released. Customers who manually control their own update version can utilize the manual update process within the security console to update to version 8.36.0 when it is made available. We recommend those customers schedule this update as soon as reasonably possible.

OpenCVE Recommended Actions

  • Update InsightVM or Nexpose to version 8.36.0 or later to apply the fixed password generation algorithm
  • Enable automatic product updates so that the fix is applied without manual intervention
  • Restrict file system permissions on the nsc.ks keystore file to prevent unauthorized read access

Generated by OpenCVE AI on April 18, 2026 at 00:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://www.atredis.com/disclosure cve-icon cve-icon
History

Mon, 09 Feb 2026 19:30:00 +0000

Type Values Removed Values Added
Description A security vulnerability has been identified in Rapid7 Nexpose. Remediation is in progress. Rapid7 Nexpose versions 6.4.50 and later are vulnerable to an insufficient entropy issue in the CredentialsKeyStorePassword.generateRandomPassword() method. When updating legacy keystore passwords, the application generates a new password with insufficient length (7-12 characters) and a static prefix 'p', resulting in a weak keyspace. An attacker with access to the nsc.ks file can brute-force this password using consumer-grade hardware to decrypt stored credentials.

Thu, 05 Feb 2026 20:00:00 +0000

Type Values Removed Values Added
Metrics cvssV4_0

{'score': 7.5, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

 cvssV4_0

{'score': 6.8, 'vector': 'CVSS:4.0/AV:L/AC:H/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N'}

Wed, 04 Feb 2026 16:45:00 +0000

Type Values Removed Values Added
Description Rapid7 Nexpose versions 6.4.50 and later are vulnerable to an insufficient entropy issue in the CredentialsKeyStorePassword.generateRandomPassword() method. When updating legacy keystore passwords, the application generates a new password with insufficient length (7-12 characters) and a static prefix 'p', resulting in a weak keyspace. An attacker with access to the nsc.ks file can brute-force this password using consumer-grade hardware to decrypt stored credentials. A security vulnerability has been identified in Rapid7 Nexpose. Remediation is in progress.

Wed, 04 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Rapid7
Rapid7 nexpose
Vendors & Products Rapid7
Rapid7 nexpose

Tue, 03 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 03 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Description Rapid7 Nexpose versions 6.4.50 and later are vulnerable to an insufficient entropy issue in the CredentialsKeyStorePassword.generateRandomPassword() method. When updating legacy keystore passwords, the application generates a new password with insufficient length (7-12 characters) and a static prefix 'p', resulting in a weak keyspace. An attacker with access to the nsc.ks file can brute-force this password using consumer-grade hardware to decrypt stored credentials.
Title Rapid7 Nexpose Insecure Java Keystore Password Generation
Weaknesses CWE-331
References
Metrics cvssV4_0

{'score': 7.5, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Rapid7 Nexpose
cve-icon MITRE

Status: PUBLISHED

Assigner: rapid7

Published:

Updated: 2026-02-26T15:04:28.129Z

Reserved: 2026-02-03T14:05:09.471Z

Link: CVE-2026-1814

cve-icon Vulnrichment

Updated: 2026-02-03T17:08:11.712Z

cve-icon NVD

Status : Deferred

Published: 2026-02-03T15:16:14.137

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-1814

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T00:30:25Z

Weaknesses