Apache Syncope hard-coded AES key flaw exposes user passwords
Take action: If you use Apache Syncope with AES password encryption enabled, upgrade immediately to version 3.0.15 or 4.0.3 to fix the hardcoded key vulnerability. After upgrading, require all users to reset their passwords since previous passwords could have been decrypted if attackers accessed your database.
Learn More
A security vulnerability in Apache Syncope enables decryption of user passwords. Syncope is an open-source identity management system used by organizations for managing user identities and access control.
The vulnerability is tracked as CVE-2025-65998 (CVSS score 7.5) affects Apache Syncope installations configured to store user password values in their internal database using AES encryption, even if this configuration is not enabled by default.
When AES encryption is activated, the system relies on a hard-coded AES key embedded directly in the application's source code. This allows any attacker who gains access to the internal database to easily decrypt and recover cleartext password values for all users stored under this mechanism.
The vulnerability does not affect encrypted attributes in the database, since they utilize a different AES key management process.
Affected Versions:
- Apache Syncope (org.apache.syncope.core:syncope-core-spring) 2.1 through 2.1.14
- Apache Syncope (org.apache.syncope.core:syncope-core-spring) 3.0 through 3.0.14
- Apache Syncope (org.apache.syncope.core:syncope-core-spring) 4.0 through 4.0.2
Organizations running vulnerable versions should upgrade to version 3.0.15 or 4.0.3. The patches eliminate the hardcoded encryption key vulnerability and implement stronger security practices for password encryption.
