CVE: CVE-2007-5460

Export to Word

Microsoft ActiveSync 4.1, as used in Windows Mobile 5.0, uses weak encryption (XOR obfuscation with a fixed key) when sending the user's PIN/Password over the USB connection from the host to the device, which might make it easier for attackers to decode a PIN/Password obtained by (1) sniffing or (2) spoofing the docking process.

Threat-Mapped Scoring

Score: 3.0

Priority: P2 - Serious (High)

S1 – Steal Customer Account Information

EPSS

Score: 0.01027
Percentile: 0.76349

CVSS Scoring

CVSS v3.1 Score: 4.6

Severity: MEDIUM

Mapped CWE(s)

CWE-327 : Use of a Broken or Risky Cryptographic Algorithm

All CAPEC(s)

CAPEC-20: Encryption Brute Forcing
CAPEC-459: Creating a Rogue Certification Authority Certificate
CAPEC-473: Signature Spoof
CAPEC-475: Signature Spoofing by Improper Validation
CAPEC-608: Cryptanalysis of Cellular Encryption
CAPEC-614: Rooting SIM Cards
CAPEC-97: Cryptanalysis

CAPEC(s) with Mapped TTPs

CAPEC-473: Signature Spoof
Mapped TTPs:
- T1036.001 : Invalid Code Signature
- T1553.002 : Code Signing

Mapped ATT&CK TTPs

T1036.001 : Invalid Code Signature
Kill Chain: defense-evasion
T1553.002 : Code Signing
Kill Chain: defense-evasion

Malware

APTs Threat Group Associations

Campaigns

APT41 DUST
SolarWinds Compromise
Operation Honeybee
RedDelta Modified PlugX Infection Chain Operations
Operation Dream Job
C0015

Affected Products

cpe:2.3:o:microsoft:windows_mobile:5.0:*:*:*:*:*:*:*

← Back to Home