Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Weak encryption on Funambol's cloud server

Posted date 28/01/2026
Identificador
INCIBE-2026-062
Importance
3 - Medium
Affected Resources

Cloud Server, version 30.0.0.20.

Description

INCIBE has coordinated the publication of a medium-severity vulnerability affecting Funambol's cloud server, a synchronization and mobile services platform. The vulnerability was discovered by David Herrero de la Peña and David Gomez Oliva.

This vulnerability has been assigned the following code, CVSS v4.0 base score, CVSS vector, and CWE vulnerability type:

  • CVE-2025-41351: CVSS v4.0: 6.0 | CVSS AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N | CWE-649 
Solution

Funambol has fixed the vulnerability in version v31.0.0.0.

Detail

CVE-2025-41351: vulnerability that allows a Padding Oracle Attack to be performed on the Funambol v30.0.0.20 cloud server. The thumbnail display URL allows an attacker to decrypt and encrypt the parameters used by the application to generate ‘self-signed’ access URLs.

CVE
Explotación
No
Nuevo Fabricante
Funambol
Identificador CVE
CVE-2025-41351
Severidad
Media
References list
Funambol
Etiquetas