Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2025-24846

Summary
Assigner-jpcert
Assigner Org ID-ede6fdc4-6654-4307-a26d-3331c018e2ce
Published At-03 Mar, 2025 | 08:23
Updated At-03 Mar, 2025 | 13:17
Rejected At-
Credits

Authentication bypass vulnerability exists in FutureNet AS series (Industrial Routers) provided by Century Systems Co., Ltd. If this vulnerability is exploited, a remote unauthenticated attacker may obtain the device information such as MAC address by sending a specially crafted request.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:jpcert
Assigner Org ID:ede6fdc4-6654-4307-a26d-3331c018e2ce
Published At:03 Mar, 2025 | 08:23
Updated At:03 Mar, 2025 | 13:17
Rejected At:
▼CVE Numbering Authority (CNA)

Authentication bypass vulnerability exists in FutureNet AS series (Industrial Routers) provided by Century Systems Co., Ltd. If this vulnerability is exploited, a remote unauthenticated attacker may obtain the device information such as MAC address by sending a specially crafted request.

Affected Products
Vendor
Century Systems Co., Ltd.
Product
FutureNet AS-250/S
Versions
Affected
  • firmware Version 1.14.0 and earlier
Vendor
Century Systems Co., Ltd.
Product
FutureNet AS-250/F-SC
Versions
Affected
  • firmware Version 1.14.0 and earlier
Vendor
Century Systems Co., Ltd.
Product
FutureNet AS-250/F-KO
Versions
Affected
  • firmware Version 1.14.0 and earlier
Vendor
Century Systems Co., Ltd.
Product
FutureNet AS-250/NL
Versions
Affected
  • firmware Version 1.14.0 and earlier
Vendor
Century Systems Co., Ltd.
Product
FutureNet AS-250/KL
Versions
Affected
  • firmware Version 1.14.0 and earlier
Vendor
Century Systems Co., Ltd.
Product
FutureNet AS-250/KL Rev2
Versions
Affected
  • firmware Version 2.6.4 and earlier
Vendor
Century Systems Co., Ltd.
Product
FutureNet AS-250/L
Versions
Affected
  • firmware Version 2.6.4 and earlier
Vendor
Century Systems Co., Ltd.
Product
FutureNet AS-M250/L
Versions
Affected
  • firmware Version 2.6.4 and earlier
Vendor
Century Systems Co., Ltd.
Product
FutureNet AS-M250/KL
Versions
Affected
  • firmware Version 2.6.4 and earlier
Vendor
Century Systems Co., Ltd.
Product
FutureNet AS-M250/NL
Versions
Affected
  • firmware Version 2.6.4 and earlier
Vendor
Century Systems Co., Ltd.
Product
FutureNet AS-P250/NL
Versions
Affected
  • firmware Version 2.6.4 and earlier
Vendor
Century Systems Co., Ltd.
Product
FutureNet AS-P250/KL
Versions
Affected
  • firmware Version 2.6.4 and earlier
Vendor
Century Systems Co., Ltd.
Product
FutureNet AS-210/U4
Versions
Affected
  • firmware Version 2.6.4 and earlier
Problem Types
TypeCWE IDDescription
CWECWE-288Authentication Bypass Using an Alternate Path or Channel
Type: CWE
CWE ID: CWE-288
Description: Authentication Bypass Using an Alternate Path or Channel
Metrics
VersionBase scoreBase severityVector
3.17.5HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Version: 3.1
Base score: 7.5
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://www.centurysys.co.jp/backnumber/common/jvnvu96398949.html
N/A
https://jvn.jp/en/vu/JVNVU96398949/
N/A
Hyperlink: https://www.centurysys.co.jp/backnumber/common/jvnvu96398949.html
Resource: N/A
Hyperlink: https://jvn.jp/en/vu/JVNVU96398949/
Resource: N/A
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:vultures@jpcert.or.jp
Published At:03 Mar, 2025 | 09:15
Updated At:03 Mar, 2025 | 09:15

Authentication bypass vulnerability exists in FutureNet AS series (Industrial Routers) provided by Century Systems Co., Ltd. If this vulnerability is exploited, a remote unauthenticated attacker may obtain the device information such as MAC address by sending a specially crafted request.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.17.5HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Type: Secondary
Version: 3.1
Base score: 7.5
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CPE Matches
Weaknesses
CWE IDTypeSource
CWE-288Primaryvultures@jpcert.or.jp
CWE ID: CWE-288
Type: Primary
Source: vultures@jpcert.or.jp
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://jvn.jp/en/vu/JVNVU96398949/vultures@jpcert.or.jp
N/A
https://www.centurysys.co.jp/backnumber/common/jvnvu96398949.htmlvultures@jpcert.or.jp
N/A
Hyperlink: https://jvn.jp/en/vu/JVNVU96398949/
Source: vultures@jpcert.or.jp
Resource: N/A
Hyperlink: https://www.centurysys.co.jp/backnumber/common/jvnvu96398949.html
Source: vultures@jpcert.or.jp
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

9Records found
CVE-2024-31916
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-7.5||HIGH
EPSS-0.03% / 5.56%
||
7 Day CHG~0.00%
Published-27 Jun, 2024 | 17:45
Updated-02 Aug, 2024 | 01:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IBM OpenBMC information disclosure

IBM OpenBMC FW1050.00 through FW1050.10 BMCWeb HTTPS server component could disclose sensitive URI content to an unauthorized actor that bypasses authentication channels. IBM X-ForceID: 290026.

Action-Not Available
Vendor-IBM Corporation
Product-OpenBMCopenbmc
CWE ID-CWE-288
Authentication Bypass Using an Alternate Path or Channel
CVE-2024-11981
Matching Score-4
Assigner-TWCERT/CC
ShareView Details
Matching Score-4
Assigner-TWCERT/CC
CVSS Score-7.5||HIGH
EPSS-0.13% / 32.58%
||
7 Day CHG~0.00%
Published-29 Nov, 2024 | 06:21
Updated-29 Nov, 2024 | 14:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Billion Electric router - Authentication Bypass

Certain models of routers from Billion Electric has an Authentication Bypass vulnerability, allowing unautheticated attackers to retrive contents of arbitrary web pages.

Action-Not Available
Vendor-Billion Electricbillion_electric
Product-M120NM100M150M500m120nm100m150m500
CWE ID-CWE-288
Authentication Bypass Using an Alternate Path or Channel
CVE-2024-10438
Matching Score-4
Assigner-TWCERT/CC
ShareView Details
Matching Score-4
Assigner-TWCERT/CC
CVSS Score-7.5||HIGH
EPSS-0.40% / 60.11%
||
7 Day CHG+0.11%
Published-28 Oct, 2024 | 02:46
Updated-31 Oct, 2024 | 00:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Sunnet eHRD CTMS - Authentication Bypass

The eHRD CTMS from Sunnet has an Authentication Bypass vulnerability, allowing unauthenticated remote attackers to bypass authentication by satisfying specific conditions in order to access certain functionalities.

Action-Not Available
Vendor-sun.netSunnetsunnet
Product-ehdr_ctmseHRD CTMSehrd_ctms
CWE ID-CWE-288
Authentication Bypass Using an Alternate Path or Channel
CVE-2023-46319
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.11% / 29.85%
||
7 Day CHG~0.00%
Published-22 Oct, 2023 | 00:00
Updated-12 Sep, 2024 | 16:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

WALLIX Bastion 9.x before 9.0.9 and 10.x before 10.0.5 allows unauthenticated access to sensitive information by bypassing access control on a network access administration web interface.

Action-Not Available
Vendor-wallixn/awallix
Product-bastionn/abastion
CWE ID-CWE-288
Authentication Bypass Using an Alternate Path or Channel
CVE-2025-49125
Matching Score-4
Assigner-Apache Software Foundation
ShareView Details
Matching Score-4
Assigner-Apache Software Foundation
CVSS Score-7.5||HIGH
EPSS-0.07% / 21.81%
||
7 Day CHG+0.02%
Published-16 Jun, 2025 | 14:18
Updated-12 Aug, 2025 | 13:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Apache Tomcat: Security constraint bypass for pre/post-resources

Authentication Bypass Using an Alternate Path or Channel vulnerability in Apache Tomcat.  When using PreResources or PostResources mounted other than at the root of the web application, it was possible to access those resources via an unexpected path. That path was likely not to be protected by the same security constraints as the expected path, allowing those security constraints to be bypassed. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 through 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.

Action-Not Available
Vendor-The Apache Software Foundation
Product-tomcatApache Tomcat
CWE ID-CWE-288
Authentication Bypass Using an Alternate Path or Channel
CVE-2025-47707
Matching Score-4
Assigner-Drupal.org
ShareView Details
Matching Score-4
Assigner-Drupal.org
CVSS Score-7.5||HIGH
EPSS-0.08% / 24.15%
||
7 Day CHG~0.00%
Published-14 May, 2025 | 17:03
Updated-10 Jun, 2025 | 15:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Enterprise MFA - TFA for Drupal - Moderately critical - Access bypass - SA-CONTRIB-2025-053

Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Enterprise MFA - TFA for Drupal allows Authentication Bypass.This issue affects Enterprise MFA - TFA for Drupal: from 0.0.0 before 4.7.0, from 5.0.0 before 5.2.0.

Action-Not Available
Vendor-miniorangeThe Drupal Association
Product-miniorange_2faEnterprise MFA - TFA for Drupal
CWE ID-CWE-288
Authentication Bypass Using an Alternate Path or Channel
CVE-2025-4427
Matching Score-4
Assigner-Ivanti
ShareView Details
Matching Score-4
Assigner-Ivanti
CVSS Score-5.3||MEDIUM
EPSS-92.24% / 99.71%
||
7 Day CHG+5.18%
Published-13 May, 2025 | 15:45
Updated-30 Jul, 2025 | 01:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Known KEV||Action Due Date - 2025-06-09||Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Authentication Bypass

An authentication bypass in the API component of Ivanti Endpoint Manager Mobile 12.5.0.0 and prior allows attackers to access protected resources without proper credentials via the API.

Action-Not Available
Vendor-Ivanti Software
Product-endpoint_manager_mobileEndpoint Manager MobileEndpoint Manager Mobile (EPMM)
CWE ID-CWE-288
Authentication Bypass Using an Alternate Path or Channel
CVE-2025-24496
Matching Score-4
Assigner-Talos
ShareView Details
Matching Score-4
Assigner-Talos
CVSS Score-7.5||HIGH
EPSS-0.04% / 11.55%
||
7 Day CHG-0.00%
Published-20 Aug, 2025 | 13:09
Updated-21 Aug, 2025 | 18:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An information disclosure vulnerability exists in the /goform/getproductInfo functionality of Tenda AC6 V5.0 V02.03.01.110. Specially crafted network packets can lead to a disclosure of sensitive information. An attacker can send packets to trigger this vulnerability.

Action-Not Available
Vendor-Tenda Technology Co., Ltd.
Product-ac6_firmwareac6AC6 V5.0
CWE ID-CWE-288
Authentication Bypass Using an Alternate Path or Channel
CVE-2024-42178
Matching Score-4
Assigner-HCL Software
ShareView Details
Matching Score-4
Assigner-HCL Software
CVSS Score-2.5||LOW
EPSS-0.09% / 27.03%
||
7 Day CHG~0.00%
Published-17 Apr, 2025 | 21:24
Updated-16 May, 2025 | 13:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
HCL MyXalytics is affected by a failure to restrict URL access vulnerability

HCL MyXalytics is affected by a failure to restrict URL access vulnerability. Unauthenticated users might gain unauthorized access to potentially confidential information, creating a risk of misuse, manipulation, or unauthorized distribution.

Action-Not Available
Vendor-HCL Technologies Ltd.
Product-dryice_myxalyticsHCL MyXalytics
CWE ID-CWE-288
Authentication Bypass Using an Alternate Path or Channel
CWE ID-CWE-306
Missing Authentication for Critical Function
Details not found