CVE-2025-58744: Milner Imagedirector Auth Bypass Flaw

CVE-2025-58744 Overview

CVE-2025-58744 is a hard-coded credentials vulnerability in the C2SGlobalSettings.dll component of Milner ImageDirector Capture on Windows. The application embeds a static encryption key that protects credentials used to decrypt document archive files. An attacker with local access can extract the hard-coded key, decrypt stored credentials, and then decrypt the archived document data. The flaw is tracked under [CWE-798: Use of Hard-coded Credentials]. Affected versions span from 7.0.9.0 up to but not including 7.6.3.25808.

Critical Impact

Local attackers can recover credentials protected by a static application key and decrypt confidential document archives stored by ImageDirector Capture.

Affected Products

• Milner ImageDirector Capture versions 7.0.9.0 through 7.6.3.25807
• C2SGlobalSettings.dll component shipped with ImageDirector Capture
• Microsoft Windows installations running the affected ImageDirector Capture builds

Discovery Timeline

• 2026-01-20 - CVE-2025-58744 published to NVD
• 2026-02-10 - Last updated in NVD database

Technical Details for CVE-2025-58744

Vulnerability Analysis

The vulnerability resides in C2SGlobalSettings.dll, a shared library used by Milner ImageDirector Capture to manage application configuration and secrets. The DLL embeds a static encryption key inside the binary itself. ImageDirector Capture uses this key to encrypt credentials that subsequently protect document archive files. Because the key is identical across every installation, the protection collapses to obfuscation rather than encryption.

An attacker with local access to a system running an affected version can read the stored ciphertext and reuse the hard-coded key to recover the plaintext credentials. With those credentials, the attacker can decrypt document archive files containing scanned business documents handled by the capture application. The issue is local in scope, but the confidentiality impact on archived documents is high.

Root Cause

The root cause is reliance on a hard-coded symmetric key compiled into C2SGlobalSettings.dll rather than a per-installation key derived from user input, a Windows Data Protection API (DPAPI) context, or a hardware-backed key store. Anyone with the DLL can extract the key through static analysis and reproduce the decryption routine offline.

Attack Vector

Exploitation requires local access to a host running a vulnerable ImageDirector Capture version or possession of both the C2SGlobalSettings.dll binary and the encrypted artifacts. The attacker performs three steps: extract the embedded key from the DLL, decrypt the stored credential blob, then use the recovered credentials to open the document archive files. No user interaction or elevated privileges are required for the credential recovery step.

No public proof-of-concept code is referenced in the advisory. Technical details are described in the SRA Security Advisory.

Detection Methods for CVE-2025-58744

Indicators of Compromise

• Unexpected read access to C2SGlobalSettings.dll by processes other than ImageDirector Capture, such as reverse engineering or scripting tools.
• Access to ImageDirector Capture configuration files or document archive containers from user accounts that do not normally interact with the application.
• Copies of C2SGlobalSettings.dll or document archive files appearing on removable media, file shares, or in outbound transfer logs.

Detection Strategies

• Inventory all Windows endpoints running Milner ImageDirector Capture and flag installations with versions earlier than 7.6.3.25808.
• Monitor file integrity on the ImageDirector Capture installation directory and on archive storage paths to identify unauthorized access or exfiltration.
• Audit Windows process creation events for analysis utilities such as dumpbin.exe, dnSpy, ilspycmd, or PowerShell scripts touching C2SGlobalSettings.dll.

Monitoring Recommendations

• Collect endpoint telemetry for read and copy operations against the ImageDirector Capture binaries and document archive directories.
• Forward Windows Security and Sysmon logs to a central platform and alert on access by non-application accounts.
• Track outbound transfers of files matching ImageDirector archive extensions to detect attempts to decrypt archives offline.

How to Mitigate CVE-2025-58744

Immediate Actions Required

• Upgrade Milner ImageDirector Capture to version 7.6.3.25808 or later on all Windows hosts.
• Treat any credentials previously stored or protected by the affected version as compromised and rotate them.
• Restrict NTFS permissions on the ImageDirector Capture installation directory and document archive storage so that only the service account and authorized administrators can read these files.

Patch Information

Milner addressed the issue in ImageDirector Capture 7.6.3.25808. Apply the vendor update on every Windows endpoint running affected versions 7.0.9.0 through 7.6.3.25807. Refer to the SRA Security Advisory for advisory details.

Workarounds

• Limit local logon rights on systems running ImageDirector Capture to reduce the population of users who can reach the vulnerable DLL.
• Store document archive files on access-controlled shares and apply Windows BitLocker or equivalent volume encryption to raise the bar for offline attackers.
• Re-encrypt sensitive archives created with the affected version after patching so they no longer rely on the compromised key material.

# Configuration example
# Verify installed ImageDirector Capture version on Windows hosts (PowerShell)
Get-ItemProperty "HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\*" |
  Where-Object { $_.DisplayName -like "*ImageDirector Capture*" } |
  Select-Object DisplayName, DisplayVersion, InstallLocation

# Restrict access to the ImageDirector Capture install directory
icacls "C:\Program Files\Milner\ImageDirector Capture" /inheritance:r
icacls "C:\Program Files\Milner\ImageDirector Capture" /grant:r "Administrators:(OI)(CI)F" "SYSTEM:(OI)(CI)F"