CVE-2025-47276

moderate-risk
Published 2025-05-13

Actualizer is a single shell script solution to allow developers and embedded engineers to create Debian operating systems (OS). Prior to version 1.2.0, Actualizer uses OpenSSL's "-passwd" function, which uses SHA512 instead of a more suitable password hasher like Yescript/Argon2i. All Actualizer users building a full Debian Operating System are affected. Users should upgrade to version 1.2.0 of Actualizer. Existing OS deployment requires manual password changes against the alpha and root accounts. The change will deploy's Debian's yescript overriding the older SHA512 hash created by OpenSSL. As a workaround, users need to reset both `root` and "Alpha" users' passwords.

Do I need to act?

-
0.24% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.5/10 High
NETWORK / LOW complexity

References (7)

https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html
https://github.com/ChewKeanHo/Actualizer/commit/32c9cc232c856f078f8269fba80ce756...
https://github.com/ChewKeanHo/Actualizer/issues/1
https://github.com/ChewKeanHo/Actualizer/releases/tag/v1.2.0
https://github.com/ChewKeanHo/Actualizer/security/advisories/GHSA-v626-chv9-v9qr
https://github.com/openssl/openssl/issues/19340
https://www.reddit.com/r/debian/comments/1kknzqi/actualizer_v110_upgraded
32
/ 100
moderate-risk
Severity 26/34 · High
Exploitability 1/34 · Minimal
Exposure 5/34 · Minimal