PatchSiren cyber security CVE debrief
CVE-2018-25361 Soroush CVE debrief
CVE-2018-25361 describes an authentication bypass vulnerability in Soroush IM Desktop App version 0.17.0. The vulnerability stems from the application's use of a constant encryption key for database entries, allowing local attackers to inject pre-encrypted database records that bypass passcode protection. By manipulating the application's local database files, an attacker can unlock the client and gain unauthorized access to all stored communications, including chats, images, and files, without knowledge of the legitimate user's passcode. The vulnerability is classified as HIGH severity with a CVSS score of 7.0. The weakness is categorized under CWE-290 (Authentication Bypass by Spoofing). The CVE was published on May 25, 2026 and subsequently modified on May 26, 2026. The vulnerability status in NVD is currently marked as 'Deferred'. Multiple source references are available including an exploit database entry and a detailed advisory from VulnCheck.
- Vendor
- Soroush
- Product
- Soroush IM Desktop App
- CVSS
- HIGH 7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-25
- Original CVE updated
- 2026-05-26
- Advisory published
- 2026-05-25
- Advisory updated
- 2026-05-26
Who should care
Organizations and individuals using Soroush IM Desktop App version 0.17.0 for sensitive communications; security teams responsible for endpoint protection and secure messaging deployment; incident response teams investigating potential unauthorized access to messaging data; compliance officers evaluating data protection controls for communication platforms
Technical summary
The Soroush IM Desktop App 0.17.0 uses a hardcoded or constant encryption key for protecting database entries related to passcode authentication. This cryptographic weakness enables local attackers with filesystem access to craft malicious database records using the known encryption key, inject them into the application's database, and effectively bypass the passcode authentication mechanism. The attack requires local access to the target system but grants complete unauthorized access to the victim's messaging data including all chats, images, and files. The vulnerability represents a fundamental flaw in the application's cryptographic design, specifically the failure to use user-derived or device-specific keys for authentication-protected data.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade Soroush IM Desktop App to a version newer than 0.17.0 if available, or contact the vendor for security patches
- Implement endpoint protection controls to restrict unauthorized access to application database files on local systems
- Monitor for anomalous access patterns to Soroush IM database files and configuration directories
- Consider application whitelisting and file integrity monitoring for critical messaging application components
- Review and enforce principle of least privilege for user accounts with access to messaging application data
- Assess whether alternative secure messaging solutions should be used until patches are confirmed available
Evidence notes
The vulnerability description is sourced from official NVD records with CVSS 4.0 vector analysis. The weakness classification (CWE-290) is attributed to the disclosure source. Vendor identification is marked as low confidence based on reference domain analysis, with 'Soroush App' identified as the candidate vendor. The vulnerability affects version 0.17.0 specifically.
Official resources
The vulnerability was disclosed through VulnCheck ([email protected]) with supporting references to exploit-db.com and the vendor's website.