Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2007-5460


Vulnerability Score 7.1 7.1
CVE Id CVE-2007-5460
Last Modified 15 Nov 2008 12:00:00
Published 15 Oct 2007 06:17:00
Confidentiality Impact COMPLETE COMPLETE
Integrity Impact NONE NONE
Availability Impact NONE NONE
Access Vector NETWORK
Access Complexity MEDIUM
Authentication NONE



Microsoft ActiveSync 4.1, as used in Windows Mobile 5.0, uses weak encryption (XOR obfuscation with a fixed key) when sending the user's PIN/Password over the USB connection from the host to the device, which might make it easier for attackers to decode a PIN/Password obtained by (1) sniffing or (2) spoofing the docking process.

Vulnerable Systems


  • Microsoft Activesync 4.1


BID - 25976

XF - microsoft-activesync-weak-encryption(37223)

BUGTRAQ - 20071015 SYMSA-2007-010: Microsoft ActiveSync 4.x Weak Password Obfuscation

SREASON - 3232

OSVDB - 38499

Last Updated: 27 May 2016 10:46:10