No CVSS.
apid7 Nexpose versions 6.4.50 and later are vulnerable to an insufficient entropy issue in the CredentialsKeyStorePassword.generateRandomPassword() method. When updating legacy keystore passwords, the application generates a new password with insufficient length (7-12 characters) and a static prefix 'p', resulting in a weak keyspace. An attacker with access to the nsc.ks file can brute-force this password using consumer-grade hardware to decrypt stored credentials.
| Link | Resource |
|---|---|
| https://www.atredis.com/disclosure |
No configuration.
09 Feb 2026, 20:15
| Type | Values Removed | Values Added |
|---|---|---|
| Summary | (en) Rapid7 Nexpose versions 6.4.50 and later are vulnerable to an insufficient entropy issue in the CredentialsKeyStorePassword.generateRandomPassword() method. When updating legacy keystore passwords, the application generates a new password with insufficient length (7-12 characters) and a static prefix 'p', resulting in a weak keyspace. An attacker with access to the nsc.ks file can brute-force this password using consumer-grade hardware to decrypt stored credentials. |
04 Feb 2026, 17:16
| Type | Values Removed | Values Added |
|---|---|---|
| Summary | (en) A security vulnerability has been identified in Rapid7 Nexpose. Remediation is in progress. |
03 Feb 2026, 15:16
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Published : 2026-02-03 15:16
Updated : 2026-02-09 20:15
NVD link : CVE-2026-1814
Mitre link : CVE-2026-1814
CVE.ORG link : CVE-2026-1814
JSON object : View
No product.
Insufficient Entropy