Session Handling Vulnerabilities in Convercent Whistleblowing Platform by EQS Group
CVE-2025-34412

6.9MEDIUM

Key Information:

Vendor

Eqs Group Gmbh

Status
Convercent Whistleblowing Platform
Vendor
CVE Published:
15 December 2025

Badges

๐Ÿ‘พ Exploit Exists๐ŸŸก Public PoC

What is CVE-2025-34412?

The Convercent Whistleblowing Platform by EQS Group suffers from serious vulnerabilities due to inadequate browser and session handling mechanisms. The platform's configurations lack essential HTTP security headers, such as Content-Security-Policy and Referrer-Policy, leading to increased risks from client-side attacks and session fixation. Additionally, session cookies are issued with insecure attributes, including duplicate session IDs, missing secure flags, and inconsistent SameSite settings. These weaknesses severely undermine the integrity of user sessions and the overall security posture of the application.

Affected Version(s)

Convercent Whistleblowing Platform 0 <= 2025-12-15

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2025-34412 - Proof of Concept

References

https://seclists.org/fulldisclosure/2025/Dec/4
technical-descriptionexploit
https://www.convercent.com/
product
https://www.eqs.com/en-us/platform-convercent-clients/
product

CVSS V4

Score:
6.9
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • ๐ŸŸก

    Public PoC available

  • ๐Ÿ‘พ

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

Yuffie Kisaragi
JSON
.
CVE-2025-34412 : Session Handling Vulnerabilities in Convercent Whistleblowing Platform by EQS Group