CVE-2020-14474
Description
The Cellebrite UFED physical device 5.0 through 7.5.0.845 relies on key material hardcoded within both the executable code supporting the decryption process, and within the encrypted files themselves by using a key enveloping technique. The recovered key material is the same for every device running the same version of the software, and does not appear to be changed with each new build. It is possible to reconstruct the decryption process using the hardcoded key material and obtain easy access to otherwise protected data.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Cellebrite UFED physical device versions 5.0 through 7.5.0.845 uses hardcoded AES key material, enabling easy decryption of protected data.
Vulnerability
The Cellebrite UFED physical device (versions 5.0 through 7.5.0.845) relies on hardcoded AES key material within the FileUnpacking.dll executable and within encrypted .epr files via a key enveloping technique [1]. This corresponds to CWE-321: Hardcoded Use of Cryptographic Keys. The recovered key material is identical for every device running the same software version and does not change across builds.
Exploitation
An attacker with access to the UFED software or its encrypted files can extract the hardcoded AES keys from the FileUnpacking.dll using provided scripts [1]. With the extracted keys, the attacker can decrypt corresponding .epr files (e.g., Android.zip.epr) without requiring authentication or prior interaction. The process is straightforward and automated using the tools described in the advisory.
Impact
Successful exploitation allows complete decryption of otherwise protected forensic data, leading to full loss of confidentiality. Because the key material is shared across all devices running the same version, the impact is widespread, affecting any data protected by those UFED versions.
Mitigation
No official fix or patched version has been released by Cellebrite as of the publication date (2020-06-29) [1]. Users should request updated software with proper key management from the vendor. No workaround exists that addresses the hardcoded key issue.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Cellebrite/Cellebrite UFED physical devicedescription
- Range: 5.0 through 7.5.0.845
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Hardcoded AES key material in FileUnpacking.dll, shared across all devices running the same software version, allows anyone with the binary to decrypt protected EPR files."
Attack vector
An attacker with access to a Cellebrite UFED device (or its software distribution) can extract the hardcoded AES key material from the `FileUnpacking.dll` binary using the provided `extract-keys` script. The same key material is shared across all devices running the same software version and does not change between builds [ref_id=1]. With the recovered keys, the attacker can decrypt any EPR file (e.g., `Android.zip.epr`) produced by that version of the software, gaining access to the otherwise protected extracted mobile-device data [CWE-321]. No network access or authentication bypass is required; the attacker only needs the binary and the encrypted EPR files.
Affected code
The vulnerability resides in the `FileUnpacking.dll` binary that ships with Cellebrite UFED Physical device versions 5.0 through 7.5.0.845. The DLL contains hardcoded AES key material used to decrypt EPR (encrypted package) files. The advisory demonstrates that key material can be extracted from this DLL by scanning for known SHA256 hash patterns across DWORD-aligned offsets [ref_id=1].
What the fix does
The advisory does not describe a vendor patch or provide a fix. It recommends that Cellebrite stop relying on a single, hardcoded key shared across all devices and instead use a key-management scheme where each device or each extraction session derives unique key material [ref_id=1]. Without such a change, any party who obtains a copy of the `FileUnpacking.dll` can decrypt all EPR files created by that software version.
Preconditions
- inputAttacker must have access to the FileUnpacking.dll binary from a Cellebrite UFED device (version 5.0 through 7.5.0.845)
- inputAttacker must have access to one or more encrypted EPR files produced by the same software version
Reproduction
The advisory provides a proof-of-concept workflow. First, run the `extract-keys` script on the `FileUnpacking.dll` binary to recover the hardcoded AES key material. The script iterates over DWORD-aligned offsets in the DLL, computes SHA256 hashes, and compares them against known patterns to extract the keys. Then use the `decrypt-epr` tool with the recovered keys to decrypt any EPR file (e.g., `Android.zip.epr`). A `Makefile` is provided to automate both steps [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- packetstormsecurity.com/files/158254/Cellebrite-EPR-Decryption-Hardcoded-AES-Key-Material.htmlmitrex_refsource_MISC
- seclists.org/fulldisclosure/2020/Jun/31mitrex_refsource_MISC
- korelogic.com/Resources/Advisories/KL-001-2020-003.txtmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.