CVE-2023-25263
Description
Stimulsoft Designer uses a static secret to encrypt connection strings in .mrt files, allowing any attacker with access to such a file to decrypt the connection string.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stimulsoft Designer uses a static secret to encrypt connection strings in .mrt files, allowing any attacker with access to such a file to decrypt the connection string.
Vulnerability
Stimulsoft Designer (Desktop) versions 2023.1.4 and 2023.1.5, and allegedly all prior versions, use a static secret to encrypt connection strings stored in .mrt files. The secret is hardcoded in the Stimulsoft.report.dll assembly, which is not obfuscated, making it easily recoverable via decompilation. [2]
Exploitation
An attacker only needs access to an .mrt file containing an embedded SQL datasource. By decompiling the Stimulsoft application (e.g., by downloading the trial version), the attacker obtains the static encryption key. This key is identical across all versions and installations, allowing the attacker to decrypt any connection string from such files without additional authentication. [2]
Impact
Successful exploitation results in disclosure of database connection strings, which may contain credentials and server addresses. This compromises confidentiality and can lead to further unauthorized access or data breaches. The CVSS score of 7.9 (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N) reflects high impact on confidentiality and low impact on integrity. [2]
Mitigation
The vendor has stated that this vulnerability will not be fixed. No official patch or workaround is available. Users are advised to avoid storing sensitive connection strings in .mrt files, or consider using alternative reporting tools that do not rely on static encryption secrets. [2]
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Stimulsoft/Stimulsoft Designer (Desktop)description
- Range: 2023.1.4, 2023.1.5
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Use of a static, hardcoded encryption secret in Stimulsoft.Report.dll that does not change between versions or installations, allowing anyone who decompiles the assembly to decrypt any connection string in any .mrt file."
Attack vector
An attacker who obtains a `.mrt` file containing an embedded SQL datasource can decrypt the `
Affected code
The vulnerability resides in the `Stimulsoft.Report.dll` assembly, which contains a static encryption secret used to encrypt connection strings embedded in `.mrt` report files. The decompiled code reveals a hardcoded key that does not change between versions or operating systems [ref_id=1].
What the fix does
The vendor has stated that this issue will not be fixed [ref_id=1]. The recommended remediation is for users to avoid embedding connection strings in `.mrt` files, or to use an alternative encryption mechanism outside of Stimulsoft's built-in encryption, since the static secret can be trivially recovered by decompiling the un-obfuscated `Stimulsoft.Report.dll` assembly [ref_id=1].
Preconditions
- inputAttacker must obtain a .mrt file that contains an embedded SQL datasource with an encrypted connection string.
- inputAttacker must decompile the Stimulsoft.Report.dll assembly (no obfuscation is used) to recover the static encryption secret.
- authNo authentication or special privileges are required beyond file access to the .mrt file and the ability to download the trial version of the product.
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3News mentions
0No linked articles in our index yet.