Description
Vulnerability on the external sharing feature in Cryptobox allows an attacker knowing a sharing link URL to retrieve information from the server allowing an offline brute-force attack of the access code associated to this sharing link.
Published: 2026-05-07
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability exists in Cryptobox's external sharing feature, allowing an attacker who knows a sharing link URL to obtain server-side information that can be used to perform an offline brute-force attack against the access code that protects the shared content. This flaw permits unauthorized reading or copying of data that was intended to remain confidential to the designated recipients. The weakness is an information-exposure flaw (CWE‑280) where access code protection is inadequate.

Affected Systems

The product affected is Ercom Cryptobox. No specific version numbers were supplied in the CNA data.

Risk and Exploitability

Reported CVSS score of 6.9 indicates a medium-to-high risk. The EPSS score of less than 1% shows a low probability of active exploitation, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector requires the attacker to obtain a valid external sharing link URL; once the URL is in hand, the server leaks information that facilitates an offline brute-force attack against the access code. Success would expose the confidential data shared via the link. The drawback of a low EPSS suggests that exploitation may be opportunistic rather than widespread, but the potential confidentiality impact remains significant.

Generated by OpenCVE AI on May 11, 2026 at 18:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑issued patch or upgrade Cryptobox to a version that addresses the external sharing link information disclosure.
  • Disable or restrict the ability to create external sharing links until the patch is applied.
  • Enforce longer, more complex access codes for external shares to make brute‑force attempts impractical.

Generated by OpenCVE AI on May 11, 2026 at 18:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 11 May 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Thalesgroup
Thalesgroup ercom Cryptobox
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:thalesgroup:ercom_cryptobox:*:*:*:*:*:*:*:*
Vendors & Products Thalesgroup
Thalesgroup ercom Cryptobox
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Thu, 07 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 07 May 2026 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Ercom
Ercom cryptobox
Vendors & Products Ercom
Ercom cryptobox

Thu, 07 May 2026 10:15:00 +0000

Type Values Removed Values Added
Description Vulnerability on the external sharing feature in Cryptobox allows an attacker knowing a sharing link URL to retrieve information from the server allowing an offline brute-force attack of the access code associated to this sharing link.
Title Vulnerability on Cryptobox external sharing feature
Weaknesses CWE-280
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Ercom Cryptobox
Thalesgroup Ercom Cryptobox
cve-icon MITRE

Status: PUBLISHED

Assigner: THA-PSIRT

Published:

Updated: 2026-05-07T13:39:33.124Z

Reserved: 2026-04-21T15:15:08.431Z

Link: CVE-2026-6805

cve-icon Vulnrichment

Updated: 2026-05-07T13:39:30.143Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-07T10:16:06.340

Modified: 2026-05-11T16:37:56.233

Link: CVE-2026-6805

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-11T18:30:05Z

Weaknesses