Apache Syncope Flaw (CVE-2025-65998) Exposes Encrypted User Passwords Due to Hard-Coded AES Key
Ddos 
Apache has issued an important security advisory warning that Apache Syncope, the widely used open-source identity management platform, contains a critical design flaw that can expose user passwords stored in enterprise environments.
Tracked as CVE-2025-65998, the vulnerability stems from a hard-coded AES encryption key used when Syncope is configured to encrypt passwords in its internal database. The flaw affects multiple major versions, including:
- Syncope 2.1 → 2.1.14
- Syncope 3.0 → 3.0.14
- Syncope 4.0 → 4.0.2
Apache has classified the issue as Severity: Important.
According to the advisory, “Apache Syncope can be configured to store the user password values in the internal database with AES encryption… When AES is configured, the default key value, hard-coded in the source code, is always used.”
The vulnerability is not enabled by default — administrators must have opted to store passwords using the AES encryption option. But when they do, Syncope always uses the same embedded AES key, regardless of the deployment.
This means an attacker with access to the internal database could decrypt every stored password effortlessly.
The advisory confirms: “This allows a malicious attacker, once obtained access to the internal database content, to reconstruct the original cleartext password values.”
This impacts password attributes only — Apache notes that the flaw does not affect encrypted “plain attributes,” as those use a separate mechanism.
Apache has not provided a patch for the 2.1 series, recommending users to upgrade to a supported release line. Users are recommended to upgrade to version 3.0.15 / 4.0.3, which fix this flaw.
Donate