Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2024-2172

Summary
Assigner-Wordfence
Assigner Org ID-b15e7b5b-3da4-40ae-a43c-f7aa60e62599
Published At-13 Mar, 2024 | 15:26
Updated At-08 Apr, 2026 | 16:57
Rejected At-
Credits

Malware Scanner <= 4.7.2 and Web Application Firewall <= 2.1.1 - Unauthenticated Privilege Escalation

The Malware Scanner plugin and the Web Application Firewall plugin for WordPress (both by MiniOrange) are vulnerable to privilege escalation due to a missing capability check on the mo_wpns_init() function in all versions up to, and including, 4.7.2 (for Malware Scanner) and 2.1.1 (for Web Application Firewall). This makes it possible for unauthenticated attackers to escalate their privileges to that of an administrator.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:Wordfence
Assigner Org ID:b15e7b5b-3da4-40ae-a43c-f7aa60e62599
Published At:13 Mar, 2024 | 15:26
Updated At:08 Apr, 2026 | 16:57
Rejected At:
▼CVE Numbering Authority (CNA)
Malware Scanner <= 4.7.2 and Web Application Firewall <= 2.1.1 - Unauthenticated Privilege Escalation

The Malware Scanner plugin and the Web Application Firewall plugin for WordPress (both by MiniOrange) are vulnerable to privilege escalation due to a missing capability check on the mo_wpns_init() function in all versions up to, and including, 4.7.2 (for Malware Scanner) and 2.1.1 (for Web Application Firewall). This makes it possible for unauthenticated attackers to escalate their privileges to that of an administrator.

Affected Products
Vendor
cyberlord92
Product
Web Application Firewall – website security
Default Status
unaffected
Versions
Affected
  • From 0 through 2.1.1 (semver)
Vendor
cyberlord92
Product
Malware Scanner
Default Status
unaffected
Versions
Affected
  • From 0 through 4.7.2 (semver)
Problem Types
TypeCWE IDDescription
CWECWE-304CWE-304 Missing Critical Step in Authentication
Type: CWE
CWE ID: CWE-304
Description: CWE-304 Missing Critical Step in Authentication
Metrics
VersionBase scoreBase severityVector
3.19.8CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Version: 3.1
Base score: 9.8
Base severity: CRITICAL
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
finder
Stiofan O'Connor
Timeline
EventDate
Disclosed2024-03-13 00:00:00
Event: Disclosed
Date: 2024-03-13 00:00:00
Replaced By
Rejected Reason
References
HyperlinkResource
https://www.wordfence.com/threat-intel/vulnerabilities/id/6347f588-a3fd-4909-ad57-9d78787b5728?source=cve
N/A
https://plugins.trac.wordpress.org/browser/miniorange-malware-protection/tags/4.7.2/handler/login.php#L89
N/A
https://wordpress.org/plugins/miniorange-malware-protection/
N/A
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3054179%40miniorange-malware-protection&new=3054179%40miniorange-malware-protection&sfp_email=&sfph_mail=
N/A
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3054255%40web-application-firewall&new=3054255%40web-application-firewall&sfp_email=&sfph_mail=
N/A
Hyperlink: https://www.wordfence.com/threat-intel/vulnerabilities/id/6347f588-a3fd-4909-ad57-9d78787b5728?source=cve
Resource: N/A
Hyperlink: https://plugins.trac.wordpress.org/browser/miniorange-malware-protection/tags/4.7.2/handler/login.php#L89
Resource: N/A
Hyperlink: https://wordpress.org/plugins/miniorange-malware-protection/
Resource: N/A
Hyperlink: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3054179%40miniorange-malware-protection&new=3054179%40miniorange-malware-protection&sfp_email=&sfph_mail=
Resource: N/A
Hyperlink: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3054255%40web-application-firewall&new=3054255%40web-application-firewall&sfp_email=&sfph_mail=
Resource: N/A
▼Authorized Data Publishers (ADP)
1. CISA ADP Vulnrichment
Affected Products
Vendor
miniorange
Product
malware_scanner
CPEs
  • cpe:2.3:a:miniorange:malware_scanner:*:*:*:*:*:wordpress:*:*
Default Status
unknown
Versions
Affected
  • From 0 through 4.7.2 (custom)
Vendor
miniorange
Product
web_application_firewall
CPEs
  • cpe:2.3:a:miniorange:web_application_firewall:*:*:*:*:*:*:*:*
Default Status
unknown
Versions
Affected
  • From 0 through 2.1.1 (custom)
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
2. CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://www.wordfence.com/threat-intel/vulnerabilities/id/6347f588-a3fd-4909-ad57-9d78787b5728?source=cve
x_transferred
https://plugins.trac.wordpress.org/browser/miniorange-malware-protection/tags/4.7.2/handler/login.php#L89
x_transferred
https://wordpress.org/plugins/miniorange-malware-protection/
x_transferred
Hyperlink: https://www.wordfence.com/threat-intel/vulnerabilities/id/6347f588-a3fd-4909-ad57-9d78787b5728?source=cve
Resource:
x_transferred
Hyperlink: https://plugins.trac.wordpress.org/browser/miniorange-malware-protection/tags/4.7.2/handler/login.php#L89
Resource:
x_transferred
Hyperlink: https://wordpress.org/plugins/miniorange-malware-protection/
Resource:
x_transferred
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security@wordfence.com
Published At:13 Mar, 2024 | 16:15
Updated At:15 Apr, 2026 | 00:35

The Malware Scanner plugin and the Web Application Firewall plugin for WordPress (both by MiniOrange) are vulnerable to privilege escalation due to a missing capability check on the mo_wpns_init() function in all versions up to, and including, 4.7.2 (for Malware Scanner) and 2.1.1 (for Web Application Firewall). This makes it possible for unauthenticated attackers to escalate their privileges to that of an administrator.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.19.8CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Type: Secondary
Version: 3.1
Base score: 9.8
Base severity: CRITICAL
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CPE Matches
Weaknesses
CWE IDTypeSource
CWE-304Primarysecurity@wordfence.com
CWE ID: CWE-304
Type: Primary
Source: security@wordfence.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://plugins.trac.wordpress.org/browser/miniorange-malware-protection/tags/4.7.2/handler/login.php#L89security@wordfence.com
N/A
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3054179%40miniorange-malware-protection&new=3054179%40miniorange-malware-protection&sfp_email=&sfph_mail=security@wordfence.com
N/A
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3054255%40web-application-firewall&new=3054255%40web-application-firewall&sfp_email=&sfph_mail=security@wordfence.com
N/A
https://wordpress.org/plugins/miniorange-malware-protection/security@wordfence.com
N/A
https://www.wordfence.com/threat-intel/vulnerabilities/id/6347f588-a3fd-4909-ad57-9d78787b5728?source=cvesecurity@wordfence.com
N/A
https://plugins.trac.wordpress.org/browser/miniorange-malware-protection/tags/4.7.2/handler/login.php#L89af854a3a-2127-422b-91ae-364da2661108
N/A
https://wordpress.org/plugins/miniorange-malware-protection/af854a3a-2127-422b-91ae-364da2661108
N/A
https://www.wordfence.com/threat-intel/vulnerabilities/id/6347f588-a3fd-4909-ad57-9d78787b5728?source=cveaf854a3a-2127-422b-91ae-364da2661108
N/A
Hyperlink: https://plugins.trac.wordpress.org/browser/miniorange-malware-protection/tags/4.7.2/handler/login.php#L89
Source: security@wordfence.com
Resource: N/A
Hyperlink: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3054179%40miniorange-malware-protection&new=3054179%40miniorange-malware-protection&sfp_email=&sfph_mail=
Source: security@wordfence.com
Resource: N/A
Hyperlink: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3054255%40web-application-firewall&new=3054255%40web-application-firewall&sfp_email=&sfph_mail=
Source: security@wordfence.com
Resource: N/A
Hyperlink: https://wordpress.org/plugins/miniorange-malware-protection/
Source: security@wordfence.com
Resource: N/A
Hyperlink: https://www.wordfence.com/threat-intel/vulnerabilities/id/6347f588-a3fd-4909-ad57-9d78787b5728?source=cve
Source: security@wordfence.com
Resource: N/A
Hyperlink: https://plugins.trac.wordpress.org/browser/miniorange-malware-protection/tags/4.7.2/handler/login.php#L89
Source: af854a3a-2127-422b-91ae-364da2661108
Resource: N/A
Hyperlink: https://wordpress.org/plugins/miniorange-malware-protection/
Source: af854a3a-2127-422b-91ae-364da2661108
Resource: N/A
Hyperlink: https://www.wordfence.com/threat-intel/vulnerabilities/id/6347f588-a3fd-4909-ad57-9d78787b5728?source=cve
Source: af854a3a-2127-422b-91ae-364da2661108
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

14Records found
CVE-2023-6036
Matching Score-8
Assigner-WPScan
ShareView Details
Matching Score-8
Assigner-WPScan
CVSS Score-9.8||CRITICAL
EPSS-56.30% / 98.13%
||
7 Day CHG~0.00%
Published-12 Feb, 2024 | 16:06
Updated-06 May, 2025 | 19:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Web3 – Crypto wallet Login & NFT token gating < 3.0.0 - Authentication Bypass

The Web3 WordPress plugin before 3.0.0 is vulnerable to an authentication bypass due to incorrect authentication checking in the login flow in functions 'handle_auth_request' and 'hadle_login_request'. This makes it possible for non authenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the username.

Action-Not Available
Vendor-miniorangeUnknown
Product-web3_-_crypto_wallet_login_\&_nft_token_gatingWeb3
CWE ID-CWE-863
Incorrect Authorization
CWE ID-CWE-287
Improper Authentication
CVE-2025-9485
Matching Score-8
Assigner-Wordfence
ShareView Details
Matching Score-8
Assigner-Wordfence
CVSS Score-9.8||CRITICAL
EPSS-0.55% / 68.00%
||
7 Day CHG-0.20%
Published-04 Oct, 2025 | 02:24
Updated-08 Apr, 2026 | 17:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
OAuth Single Sign On – SSO (OAuth Client) <= 6.26.12 - Authentication Bypass via get_resource_owner_from_id_token()

The OAuth Single Sign On – SSO (OAuth Client) plugin for WordPress is vulnerable to Improper Verification of Cryptographic Signature in versions up to, and including, 6.26.12. This is due to the plugin performing unsafe JWT token processing without verification or validation in the `get_resource_owner_from_id_token` function. This makes it possible for unauthenticated attackers to bypass authentication and gain access to any existing user account - including administrators in certain configurations - or to create arbitrary subscriber-level accounts.

Action-Not Available
Vendor-cyberlord92
Product-OAuth Single Sign On – SSO (OAuth Client)
CWE ID-CWE-347
Improper Verification of Cryptographic Signature
CVE-2023-3249
Matching Score-8
Assigner-Wordfence
ShareView Details
Matching Score-8
Assigner-Wordfence
CVSS Score-9.8||CRITICAL
EPSS-0.17% / 38.28%
||
7 Day CHG~0.00%
Published-30 Jun, 2023 | 01:56
Updated-08 Apr, 2026 | 19:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Web3 – Crypto wallet Login & NFT token gating <= 2.6.0 - Authentication Bypass

The Web3 – Crypto wallet Login & NFT token gating plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.6.0. This is due to incorrect authentication checking in the 'hidden_form_data' function. This makes it possible for authenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the username.

Action-Not Available
Vendor-miniorangecyberlord92
Product-web3_-_crypto_wallet_login_\&_nft_token_gatingWeb3 – Crypto wallet Login & NFT token gating
CWE ID-CWE-288
Authentication Bypass Using an Alternate Path or Channel
CVE-2023-2982
Matching Score-8
Assigner-Wordfence
ShareView Details
Matching Score-8
Assigner-Wordfence
CVSS Score-9.8||CRITICAL
EPSS-70.12% / 98.70%
||
7 Day CHG~0.00%
Published-29 Jun, 2023 | 01:56
Updated-08 Apr, 2026 | 17:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn) <= 7.6.4 - Authentication Bypass

The WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn) plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 7.6.4. This is due to insufficient encryption on the user being supplied during a login validated through the plugin. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they know the email address associated with that user. This was partially patched in version 7.6.4 and fully patched in version 7.6.5.

Action-Not Available
Vendor-miniorangecyberlord92
Product-wordpress_social_login_and_register_\(discord\,_google\,_twitter\,_linkedin\)miniOrange Social Login and Register (Discord, Google, Twitter, LinkedIn)
CWE ID-CWE-288
Authentication Bypass Using an Alternate Path or Channel
CVE-2024-9863
Matching Score-8
Assigner-Wordfence
ShareView Details
Matching Score-8
Assigner-Wordfence
CVSS Score-9.8||CRITICAL
EPSS-0.68% / 71.61%
||
7 Day CHG~0.00%
Published-17 Oct, 2024 | 02:06
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Miniorange OTP Verification with Firebase <= 3.6.0 - Privilege Escalation via Registration due to Administrator Default User Role Value

The Miniorange OTP Verification with Firebase plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 3.6.0 due to the insecure 'administrator' default value for the 'default_user_role' option. This makes it possible for unauthenticated attackers to register an administrator user even if the registration form is disabled.

Action-Not Available
Vendor-cyberlord92miniorange
Product-Miniorange OTP Verification with Firebaseotp_verification
CWE ID-CWE-266
Incorrect Privilege Assignment
CVE-2026-2628
Matching Score-8
Assigner-Wordfence
ShareView Details
Matching Score-8
Assigner-Wordfence
CVSS Score-9.8||CRITICAL
EPSS-0.45% / 63.58%
||
7 Day CHG+0.03%
Published-03 Mar, 2026 | 01:21
Updated-22 Apr, 2026 | 21:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
All-in-One Microsoft 365 & Entra ID / Azure AD SSO Login <= 2.2.5 - Authentication Bypass

The All-in-One Microsoft 365 & Entra ID / Azure AD SSO Login plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 2.2.5. This makes it possible for unauthenticated attackers to bypass authentication and log in as other users, including administrators.

Action-Not Available
Vendor-cyberlord92
Product-All-in-One Microsoft 365 & Entra ID / Azure AD SSO Login
CWE ID-CWE-288
Authentication Bypass Using an Alternate Path or Channel
CVE-2022-34858
Matching Score-8
Assigner-Patchstack
ShareView Details
Matching Score-8
Assigner-Patchstack
CVSS Score-9.8||CRITICAL
EPSS-0.73% / 72.71%
||
7 Day CHG~0.00%
Published-22 Aug, 2022 | 14:49
Updated-28 Apr, 2026 | 16:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress OAuth 2.0 client for SSO plugin <= 1.11.3 - Authentication Bypass vulnerability

Authentication Bypass vulnerability in miniOrange OAuth 2.0 client for SSO plugin <= 1.11.3 at WordPress.

Action-Not Available
Vendor-miniorangeminiOrange
Product-oauth_2.0_client_for_ssoOAuth 2.0 client for SSO (WordPress plugin)
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2022-34149
Matching Score-8
Assigner-Patchstack
ShareView Details
Matching Score-8
Assigner-Patchstack
CVSS Score-9.8||CRITICAL
EPSS-0.86% / 75.17%
||
7 Day CHG~0.00%
Published-22 Aug, 2022 | 14:50
Updated-28 Apr, 2026 | 16:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WP OAuth Server plugin <= 3.0.4 - Authentication Bypass vulnerability

Authentication Bypass vulnerability in miniOrange WP OAuth Server plugin <= 3.0.4 at WordPress.

Action-Not Available
Vendor-miniorangeminiOrange
Product-wp_oauth_serverWP OAuth Server (WordPress plugin)
CWE ID-CWE-264
Not Available
CWE ID-CWE-287
Improper Authentication
CVE-2024-9862
Matching Score-8
Assigner-Wordfence
ShareView Details
Matching Score-8
Assigner-Wordfence
CVSS Score-9.8||CRITICAL
EPSS-0.45% / 63.56%
||
7 Day CHG~0.00%
Published-17 Oct, 2024 | 02:06
Updated-08 Apr, 2026 | 17:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Miniorange OTP Verification with Firebase <= 3.6.0 - Unauthenticated Arbitrary User Password Change

The Miniorange OTP Verification with Firebase plugin for WordPress is vulnerable to Arbitrary User Password Change in versions up to, and including, 3.6.0. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and access system resources, and the user current password check is missing. This makes it possible for unauthenticated attackers to change user passwords and potentially take over administrator accounts.

Action-Not Available
Vendor-miniorangecyberlord92miniorange
Product-otp_verification_with_firebaseMiniorange OTP Verification with Firebaseotp_verification
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CVE-2024-11087
Matching Score-8
Assigner-Wordfence
ShareView Details
Matching Score-8
Assigner-Wordfence
CVSS Score-8.1||HIGH
EPSS-0.05% / 16.17%
||
7 Day CHG~0.00%
Published-08 Mar, 2025 | 07:04
Updated-08 Apr, 2026 | 17:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
miniOrange Social Login and Register (Discord, Google, Twitter, LinkedIn) Pro Addon <= 200.3.9 - Authentication Bypass

The miniOrange Social Login and Register (Discord, Google, Twitter, LinkedIn) Pro Addon plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 200.3.9. This is due to insufficient verification on the user being returned by the social login token. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the username and the user does not have an already-existing account for the service returning the token.

Action-Not Available
Vendor-miniorangecyberlord92
Product-social_loginminiOrange Social Login and Register (Discord, Google, Twitter, LinkedIn)
CWE ID-CWE-287
Improper Authentication
CVE-2026-30831
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-8||HIGH
EPSS-0.08% / 22.75%
||
7 Day CHG~0.00%
Published-06 Mar, 2026 | 17:40
Updated-13 Mar, 2026 | 18:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Rocket.Chat: 2FA bypass and login of deactivated users via EE ddp-streamer

Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to versions 7.10.8, 7.11.5, 7.12.5, 7.13.4, 8.0.2, 8.1.1, and 8.2.0, authentication vulnerabilities exist in Rocket.Chat's enterprise DDP Streamer service. The Account.login method exposed through the DDP Streamer does not enforce Two-Factor Authentication (2FA) or validate user account status (deactivated users can still login), despite these checks being mandatory in the standard Meteor login flow. This issue has been patched in versions 7.10.8, 7.11.5, 7.12.5, 7.13.4, 8.0.2, 8.1.1, and 8.2.0.

Action-Not Available
Vendor-rocket.chatRocketChat
Product-rocket.chatRocket.Chat
CWE ID-CWE-287
Improper Authentication
CWE ID-CWE-304
Missing Critical Step in Authentication
CVE-2024-45764
Matching Score-4
Assigner-Dell
ShareView Details
Matching Score-4
Assigner-Dell
CVSS Score-9||CRITICAL
EPSS-0.10% / 27.47%
||
7 Day CHG~0.00%
Published-08 Nov, 2024 | 16:08
Updated-13 Nov, 2024 | 19:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Dell Enterprise SONiC OS, version(s) 4.1.x, 4.2.x, contain(s) a Missing Critical Step in Authentication vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to Protection mechanism bypass. This is a critical severity vulnerability so Dell recommends customers to upgrade at the earliest opportunity.

Action-Not Available
Vendor-Dell Inc.
Product-enterprise_sonic_distributionEnterprise SONiC OSenterprise_sonic_os
CWE ID-CWE-304
Missing Critical Step in Authentication
CVE-2025-24322
Matching Score-4
Assigner-Talos
ShareView Details
Matching Score-4
Assigner-Talos
CVSS Score-8.1||HIGH
EPSS-0.09% / 25.21%
||
7 Day CHG~0.00%
Published-20 Aug, 2025 | 13:09
Updated-03 Nov, 2025 | 19:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An unsafe default authentication vulnerability exists in the Initial Setup Authentication functionality of Tenda AC6 V5.0 V02.03.01.110. A specially crafted network request can lead to arbitrary code execution. An attacker can browse to the device to trigger this vulnerability.

Action-Not Available
Vendor-Tenda Technology Co., Ltd.
Product-ac6_firmwareac6AC6 V5.0
CWE ID-CWE-304
Missing Critical Step in Authentication
CVE-2022-2302
Matching Score-4
Assigner-CERT@VDE
ShareView Details
Matching Score-4
Assigner-CERT@VDE
CVSS Score-9.8||CRITICAL
EPSS-0.68% / 71.67%
||
7 Day CHG~0.00%
Published-11 Jul, 2022 | 10:40
Updated-16 Sep, 2024 | 22:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
LENZE: Missing password verification in authorisation procedure

Multiple Lenze products of the cabinet series skip the password verification upon second login. After a user has been logged on to the device once, a remote attacker can get full access without knowledge of the password.

Action-Not Available
Vendor-lenzeLENZE
Product-c550c550_firmwarec520_firmwarec750_firmwarec750c520cabinet c520cabinet c750cabinet c550
CWE ID-CWE-304
Missing Critical Step in Authentication
CWE ID-CWE-287
Improper Authentication
Details not found