CVE-2007-5460

low-risk
Published 2007-10-15

Microsoft ActiveSync 4.1, as used in Windows Mobile 5.0, uses weak encryption (XOR obfuscation with a fixed key) when sending the user's PIN/Password over the USB connection from the host to the device, which might make it easier for attackers to decode a PIN/Password obtained by (1) sniffing or (2) spoofing the docking process.

Do I need to act?

~
1.0% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
4
CVSS 4.6/10 Medium
PHYSICAL / LOW complexity

Affected Products (1)

Affected Vendors

Microsoft

References (10)

Broken Link http://osvdb.org/38499
Broken Link http://securityreason.com/securityalert/3232
Broken Link http://www.securityfocus.com/archive/1/482299/100/0/threaded
Broken Link http://www.securityfocus.com/bid/25976
Third Party Advisory https://exchange.xforce.ibmcloud.com/vulnerabilities/37223
Broken Link http://osvdb.org/38499
Broken Link http://securityreason.com/securityalert/3232
Broken Link http://www.securityfocus.com/archive/1/482299/100/0/threaded
Broken Link http://www.securityfocus.com/bid/25976
Third Party Advisory https://exchange.xforce.ibmcloud.com/vulnerabilities/37223
24
/ 100
low-risk
Severity 16/34 · Moderate
Exploitability 3/34 · Minimal
Exposure 5/34 · Minimal