Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2025-64055

Summary
Assigner-mitre
Assigner Org ID-8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At-03 Dec, 2025 | 00:00
Updated At-05 Dec, 2025 | 20:08
Rejected At-
Credits

An issue was discovered in Fanvil x210 V2 2.12.20 allowing unauthenticated attackers on the local network to access administrative functions of the device (e.g. file upload, firmware update, reboot...) via a crafted authentication bypass.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
â–ĽCommon Vulnerabilities and Exposures (CVE)
cve.org
Assigner:mitre
Assigner Org ID:8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At:03 Dec, 2025 | 00:00
Updated At:05 Dec, 2025 | 20:08
Rejected At:
â–ĽCVE Numbering Authority (CNA)

An issue was discovered in Fanvil x210 V2 2.12.20 allowing unauthenticated attackers on the local network to access administrative functions of the device (e.g. file upload, firmware update, reboot...) via a crafted authentication bypass.

Affected Products
Vendor
n/a
Product
n/a
Versions
Affected
  • n/a
Problem Types
TypeCWE IDDescription
textN/An/a
Type: text
CWE ID: N/A
Description: n/a
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
http://fanvil.com
N/A
https://github.com/SpikeReply/advisories/blob/main/cve/fanvil/cve-2025-64055.md
N/A
Hyperlink: http://fanvil.com
Resource: N/A
Hyperlink: https://github.com/SpikeReply/advisories/blob/main/cve/fanvil/cve-2025-64055.md
Resource: N/A
â–ĽAuthorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Problem Types
TypeCWE IDDescription
CWECWE-287CWE-287 Improper Authentication
Type: CWE
CWE ID: CWE-287
Description: CWE-287 Improper Authentication
Metrics
VersionBase scoreBase severityVector
3.19.8CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Version: 3.1
Base score: 9.8
Base severity: CRITICAL
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://github.com/SpikeReply/advisories/blob/main/cve/fanvil/cve-2025-64055.md
exploit
Hyperlink: https://github.com/SpikeReply/advisories/blob/main/cve/fanvil/cve-2025-64055.md
Resource:
exploit
Information is not available yet
â–ĽNational Vulnerability Database (NVD)
nvd.nist.gov
Source:cve@mitre.org
Published At:03 Dec, 2025 | 21:15
Updated At:09 Jan, 2026 | 02:18

An issue was discovered in Fanvil x210 V2 2.12.20 allowing unauthenticated attackers on the local network to access administrative functions of the device (e.g. file upload, firmware update, reboot...) via a crafted authentication bypass.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.19.8CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Type: Secondary
Version: 3.1
Base score: 9.8
Base severity: CRITICAL
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CPE Matches

fanvil
fanvil
>>x210_firmware>>2.12.20
cpe:2.3:o:fanvil:x210_firmware:2.12.20:*:*:*:*:*:*:*
fanvil
fanvil
>>x210>>2.0
cpe:2.3:h:fanvil:x210:2.0:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-287Secondary134c704f-9b21-4f2e-91b3-4a467353bcc0
CWE ID: CWE-287
Type: Secondary
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
http://fanvil.comcve@mitre.org
Product
https://github.com/SpikeReply/advisories/blob/main/cve/fanvil/cve-2025-64055.mdcve@mitre.org
Exploit
Third Party Advisory
https://github.com/SpikeReply/advisories/blob/main/cve/fanvil/cve-2025-64055.md134c704f-9b21-4f2e-91b3-4a467353bcc0
Exploit
Third Party Advisory
Hyperlink: http://fanvil.com
Source: cve@mitre.org
Resource:
Product
Hyperlink: https://github.com/SpikeReply/advisories/blob/main/cve/fanvil/cve-2025-64055.md
Source: cve@mitre.org
Resource:
Exploit
Third Party Advisory
Hyperlink: https://github.com/SpikeReply/advisories/blob/main/cve/fanvil/cve-2025-64055.md
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
Resource:
Exploit
Third Party Advisory

Change History

0
Information is not available yet

Similar CVEs

703Records found

CVE-2024-8181
Matching Score-4
Assigner-Tenable Network Security, Inc.
ShareView Details
Matching Score-4
Assigner-Tenable Network Security, Inc.
CVSS Score-9.8||CRITICAL
EPSS-60.84% / 98.25%
||
7 Day CHG~0.00%
Published-27 Aug, 2024 | 13:10
Updated-06 Sep, 2024 | 15:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Flowise Authentication Bypass

An Authentication Bypass vulnerability exists in Flowise version 1.8.2. This could allow a remote, unauthenticated attacker to access API endpoints as an administrator and allow them to access restricted functionality.

Action-Not Available
Vendor-flowiseaiFlowiseAIflowiseai
Product-flowiseFlowiseflowise
CWE ID-CWE-287
Improper Authentication
CVE-2020-10539
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.38% / 58.77%
||
7 Day CHG~0.00%
Published-05 Feb, 2021 | 09:21
Updated-04 Aug, 2024 | 11:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in Epikur before 20.1.1. The Epikur server contains the checkPasswort() function that, upon user login, checks the submitted password against the user password's MD5 hash stored in the database. It is also compared to a second MD5 hash, which is the same for every user (aka a "Backdoor Password" of 3p1kursupport). If the submitted password matches either one, access is granted.

Action-Not Available
Vendor-epikurn/a
Product-epikurn/a
CWE ID-CWE-287
Improper Authentication
CVE-2020-10288
Matching Score-4
Assigner-Alias Robotics S.L.
ShareView Details
Matching Score-4
Assigner-Alias Robotics S.L.
CVSS Score-9.8||CRITICAL
EPSS-0.36% / 57.92%
||
7 Day CHG~0.00%
Published-15 Jul, 2020 | 22:15
Updated-16 Sep, 2024 | 19:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
RVD#3327: No authentication required for accesing ABB IRC5 FTP server

IRC5 exposes an ftp server (port 21). Upon attempting to gain access you are challenged with a request of username and password, however you can input whatever you like. As long as the field isn't empty it will be accepted.

Action-Not Available
Vendor-windriverABB
Product-robotwareirb140irc5vxworksIRB140
CWE ID-CWE-284
Improper Access Control
CWE ID-CWE-287
Improper Authentication
CVE-2014-125060
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-7.3||HIGH
EPSS-0.39% / 59.31%
||
7 Day CHG~0.00%
Published-07 Jan, 2023 | 12:44
Updated-06 Aug, 2024 | 14:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
holdennb CollabCal calenderServer.cpp handleGet improper authentication

A vulnerability, which was classified as critical, was found in holdennb CollabCal. Affected is the function handleGet of the file calenderServer.cpp. The manipulation leads to improper authentication. It is possible to launch the attack remotely. The patch is identified as b80f6d1893607c99e5113967592417d0fe310ce6. It is recommended to apply a patch to fix this issue. VDB-217614 is the identifier assigned to this vulnerability.

Action-Not Available
Vendor-collabcal_projectholdennb
Product-collabcalCollabCal
CWE ID-CWE-287
Improper Authentication
CVE-2022-46170
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-8.6||HIGH
EPSS-0.31% / 53.81%
||
7 Day CHG~0.00%
Published-22 Dec, 2022 | 18:58
Updated-15 Apr, 2025 | 14:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
CodeIgniter is vulnerable to improper authentication via Session Handlers

CodeIgniter is a PHP full-stack web framework. When an application uses (1) multiple session cookies (e.g., one for user pages and one for admin pages) and (2) a session handler is set to `DatabaseHandler`, `MemcachedHandler`, or `RedisHandler`, then if an attacker gets one session cookie (e.g., one for user pages), they may be able to access pages that require another session cookie (e.g., for admin pages). This issue has been patched, please upgrade to version 4.2.11 or later. As a workaround, use only one session cookie.

Action-Not Available
Vendor-codeignitercodeigniter4
Product-codeigniterCodeIgniter4
CWE ID-CWE-287
Improper Authentication
CVE-2022-28321
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.11% / 29.69%
||
7 Day CHG~0.00%
Published-19 Sep, 2022 | 21:10
Updated-29 May, 2025 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Linux-PAM package before 1.5.2-6.1 for openSUSE Tumbleweed allows authentication bypass for SSH logins. The pam_access.so module doesn't correctly restrict login if a user tries to connect from an IP address that is not resolvable via DNS. In such conditions, a user with denied access to a machine can still get access. NOTE: the relevance of this issue is largely limited to openSUSE Tumbleweed and openSUSE Factory; it does not affect Linux-PAM upstream.

Action-Not Available
Vendor-linux-pamn/aopenSUSE
Product-tumbleweedlinux-pamn/a
CWE ID-CWE-287
Improper Authentication
CVE-2022-45174
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.03% / 8.33%
||
7 Day CHG~0.00%
Published-14 Apr, 2023 | 00:00
Updated-07 Feb, 2025 | 17:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in LIVEBOX Collaboration vDesk through v018. A Bypass of Two-Factor Authentication for SAML Users can occur under the /login/backup_code endpoint and the /api/v1/vdeskintegration/challenge endpoint. The correctness of the TOTP is not checked properly, and can be bypassed by passing any string as the backup code.

Action-Not Available
Vendor-liveboxcloudn/a
Product-vdeskn/a
CWE ID-CWE-287
Improper Authentication
CVE-2024-12264
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-9.8||CRITICAL
EPSS-0.36% / 57.55%
||
7 Day CHG-0.02%
Published-07 Jan, 2025 | 04:22
Updated-07 Jan, 2025 | 16:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
PayU CommercePro Plugin <= 3.8.3 - Unauthenticated Privilege Escalation

The PayU CommercePro Plugin plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 3.8.3. This is due to /wp-json/payu/v1/generate-user-token and /wp-json/payu/v1/get-shipping-cost REST API endpoints not properly verifying a user's identity prior to setting the users ID and auth cookies. This makes it possible for unauthenticated attackers to create new administrative user accounts.

Action-Not Available
Vendor-payuplugin
Product-PayU CommercePro Plugin
CWE ID-CWE-287
Improper Authentication
CVE-2024-7746
Matching Score-4
Assigner-Automotive Security Research Group (ASRG)
ShareView Details
Matching Score-4
Assigner-Automotive Security Research Group (ASRG)
CVSS Score-9.5||CRITICAL
EPSS-0.25% / 48.08%
||
7 Day CHG~0.00%
Published-13 Aug, 2024 | 15:14
Updated-12 Oct, 2025 | 12:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Use of default credentials at Traccar fleet management solution

Use of Default Credentials vulnerability in Tananaev Solutions Traccar Server on Administrator Panel modules allows Authentication Abuse.This issue affects the privileged transactions implemented by the Traccar solution that should otherwise be protected by the authentication mechanism.  These transactions could have an impact on any sensitive aspect of the platform, including Confidentiality, Integrity and Availability.

Action-Not Available
Vendor-traccarTraccartraccar
Product-traccarServerserver
CWE ID-CWE-1392
Use of Default Credentials
CWE ID-CWE-287
Improper Authentication
CVE-2019-9564
Matching Score-4
Assigner-Bitdefender
ShareView Details
Matching Score-4
Assigner-Bitdefender
CVSS Score-7.5||HIGH
EPSS-0.38% / 58.88%
||
7 Day CHG~0.00%
Published-30 Mar, 2022 | 20:00
Updated-16 Sep, 2024 | 23:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Authentication bypass in Wyze Cam Pan v2, Cam v2 and Cam v3

A vulnerability in the authentication logic of Wyze Cam Pan v2, Cam v2, Cam v3 allows an attacker to bypass login and control the devices. This issue affects: Wyze Cam Pan v2 versions prior to 4.49.1.47. Wyze Cam v2 versions prior to 4.9.8.1002. Wyze Cam v3 versions prior to 4.36.8.32.

Action-Not Available
Vendor-wyzeWyze
Product-cam_pan_v2_firmwarecam_pan_v2cam_v3cam_v2cam_v2_firmwarecam_v3_firmwareCam v2Cam v3Cam Pan v2
CWE ID-CWE-287
Improper Authentication
CVE-2018-7750
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-20.05% / 95.34%
||
7 Day CHG~0.00%
Published-13 Mar, 2018 | 18:00
Updated-05 Aug, 2024 | 06:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

transport.py in the SSH server implementation of Paramiko before 1.17.6, 1.18.x before 1.18.5, 2.0.x before 2.0.8, 2.1.x before 2.1.5, 2.2.x before 2.2.3, 2.3.x before 2.3.2, and 2.4.x before 2.4.1 does not properly check whether authentication is completed before processing other requests, as demonstrated by channel-open. A customized SSH client can simply skip the authentication step.

Action-Not Available
Vendor-paramikon/aDebian GNU/LinuxRed Hat, Inc.
Product-enterprise_linux_servervirtualizationdebian_linuxenterprise_linux_server_eusenterprise_linux_server_ausenterprise_linux_workstationcloudformsparamikoenterprise_linux_server_tusenterprise_linux_desktopansible_enginen/a
CWE ID-CWE-287
Improper Authentication
CVE-2024-12287
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-9.8||CRITICAL
EPSS-0.26% / 49.41%
||
7 Day CHG-0.08%
Published-18 Dec, 2024 | 07:02
Updated-18 Dec, 2024 | 16:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Biagiotti Membership <= 1.0.2 - Authentication Bypass via biagiotti_membership_check_facebook_user

The Biagiotti Membership plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.0.2. This is due to the plugin not properly verifying a user's identity prior to authenticating them. This makes it possible for unauthenticated attackers to log in as other users, such as administrators, granted they have access to an email.

Action-Not Available
Vendor-Mikado-Themes
Product-Biagiotti Membership
CWE ID-CWE-287
Improper Authentication
CVE-2020-28971
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-3.15% / 86.60%
||
7 Day CHG~0.00%
Published-01 Dec, 2020 | 15:12
Updated-04 Aug, 2024 | 16:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered on Western Digital My Cloud OS 5 devices before 5.06.115. A NAS Admin authentication bypass vulnerability could allow an unauthenticated user to execute privileged commands on the device via a cookie, because of insufficient validation of URI paths.

Action-Not Available
Vendor-n/aWestern Digital Corp.
Product-my_cloud_os_5my_cloud_ex4100my_cloud_pr2100my_cloud_ex2_ultramy_cloud_mirror_gen_2my_cloud_pr4100n/a
CWE ID-CWE-287
Improper Authentication
CVE-2020-28970
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-3.62% / 87.54%
||
7 Day CHG~0.00%
Published-01 Dec, 2020 | 15:32
Updated-04 Aug, 2024 | 16:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered on Western Digital My Cloud OS 5 devices before 5.06.115. A NAS Admin authentication bypass vulnerability could allow an unauthenticated user to execute privileged commands on the device via a cookie. (In addition, an upload endpoint could then be used by an authenticated administrator to upload executable PHP scripts.)

Action-Not Available
Vendor-n/aWestern Digital Corp.
Product-my_cloud_os_5my_cloud_ex4100my_cloud_pr2100my_cloud_ex2_ultramy_cloud_mirror_gen_2my_cloud_pr4100n/a
CWE ID-CWE-287
Improper Authentication
CVE-2024-12919
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-9.8||CRITICAL
EPSS-0.67% / 70.97%
||
7 Day CHG~0.00%
Published-14 Jan, 2025 | 09:21
Updated-22 Jan, 2025 | 17:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction <= 2.13.7 - Authentication Bypass via pms_payment_id

The Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 2.13.7. This is due to the pms_pb_payment_redirect_link function using the user-controlled value supplied via the 'pms_payment_id' parameter to authenticate users without any further identity validation. This makes it possible for unauthenticated attackers with knowledge of a valid payment ID to log in as any user who has made a purchase on the targeted site.

Action-Not Available
Vendor-cozmoslabsmadalinungureanu
Product-membership_\&_content_restriction_-_paid_member_subscriptionsPaid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction
CWE ID-CWE-287
Improper Authentication
CVE-2024-11209
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-0.18% / 39.84%
||
7 Day CHG~0.00%
Published-14 Nov, 2024 | 13:31
Updated-19 Nov, 2024 | 19:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Apereo CAS 2FA login improper authentication

A vulnerability was found in Apereo CAS 6.6. It has been classified as critical. This affects an unknown part of the file /login?service of the component 2FA. The manipulation leads to improper authentication. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-apereoApereoapereo
Product-central_authentication_serviceCAScas_server
CWE ID-CWE-287
Improper Authentication
CVE-2024-1148
Matching Score-4
Assigner-OpenText (formerly Micro Focus)
ShareView Details
Matching Score-4
Assigner-OpenText (formerly Micro Focus)
CVSS Score-9.8||CRITICAL
EPSS-0.07% / 21.44%
||
7 Day CHG~0.00%
Published-21 Mar, 2024 | 07:34
Updated-11 Nov, 2024 | 20:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Weak Access Control - Arbitrary file upload

Weak access control in OpenText PVCS Version Manager allows potential bypassing of authentication and uploading of files.

Action-Not Available
Vendor-Open Text Corporation
Product-PVCS Version Managerpvcs_version_manager
CWE ID-CWE-287
Improper Authentication
CVE-2024-5806
Matching Score-4
Assigner-Progress Software Corporation
ShareView Details
Matching Score-4
Assigner-Progress Software Corporation
CVSS Score-9.1||CRITICAL
EPSS-89.94% / 99.56%
||
7 Day CHG~0.00%
Published-25 Jun, 2024 | 15:04
Updated-16 Jan, 2025 | 16:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
MOVEit Transfer Authentication Bypass Vulnerability

Improper Authentication vulnerability in Progress MOVEit Transfer (SFTP module) can lead to Authentication Bypass.This issue affects MOVEit Transfer: from 2023.0.0 before 2023.0.11, from 2023.1.0 before 2023.1.6, from 2024.0.0 before 2024.0.2.

Action-Not Available
Vendor-Progress Software Corporation
Product-moveit_transferMOVEit Transfermoveit_transfer
CWE ID-CWE-287
Improper Authentication
CVE-2024-1147
Matching Score-4
Assigner-OpenText (formerly Micro Focus)
ShareView Details
Matching Score-4
Assigner-OpenText (formerly Micro Focus)
CVSS Score-9.8||CRITICAL
EPSS-0.07% / 21.44%
||
7 Day CHG~0.00%
Published-21 Mar, 2024 | 07:33
Updated-11 Nov, 2024 | 20:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Weak Access Control - Arbitrary file download

Weak access control in OpenText PVCS Version Manager allows potential bypassing of authentication and download of files.

Action-Not Available
Vendor-Open Text Corporation
Product-PVCS Version Managerpvcs_version_manager
CWE ID-CWE-287
Improper Authentication
CVE-2024-37019
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.45% / 62.94%
||
7 Day CHG~0.00%
Published-03 Jun, 2024 | 18:02
Updated-13 Feb, 2025 | 15:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Northern.tech Mender Enterprise before 3.6.4 and 3.7.x before 3.7.4 has Weak Authentication.

Action-Not Available
Vendor-n/anorthern.tech
Product-n/amender
CWE ID-CWE-287
Improper Authentication
CVE-2019-6675
Matching Score-4
Assigner-F5, Inc.
ShareView Details
Matching Score-4
Assigner-F5, Inc.
CVSS Score-9.8||CRITICAL
EPSS-0.14% / 33.35%
||
7 Day CHG~0.00%
Published-26 Nov, 2019 | 14:49
Updated-04 Aug, 2024 | 20:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

BIG-IP configurations using Active Directory, LDAP, or Client Certificate LDAP for management authentication with multiple servers are exposed to a vulnerability which allows an authentication bypass. This can result in a complete compromise of the system. This issue only impacts specific engineering hotfixes using the aforementioned authentication configuration. NOTE: This vulnerability does not affect any of the BIG-IP major, minor or maintenance releases you obtained from downloads.f5.com. The affected Engineering Hotfix builds are as follows: Hotfix-BIGIP-14.1.0.3.0.79.6-ENG.iso, Hotfix-BIGIP-14.1.0.3.0.97.6-ENG.iso, Hotfix-BIGIP-14.1.0.3.0.99.6-ENG.iso, Hotfix-BIGIP-14.1.0.5.0.15.5-ENG.iso, Hotfix-BIGIP-14.1.0.5.0.36.5-ENG.iso, Hotfix-BIGIP-14.1.0.5.0.40.5-ENG.iso, Hotfix-BIGIP-14.1.0.6.0.11.9-ENG.iso, Hotfix-BIGIP-14.1.0.6.0.14.9-ENG.iso, Hotfix-BIGIP-14.1.0.6.0.68.9-ENG.iso, Hotfix-BIGIP-14.1.0.6.0.70.9-ENG.iso, Hotfix-BIGIP-14.1.2.0.11.37-ENG.iso, Hotfix-BIGIP-14.1.2.0.18.37-ENG.iso, Hotfix-BIGIP-14.1.2.0.32.37-ENG.iso, Hotfix-BIGIP-14.1.2.1.0.46.4-ENG.iso, Hotfix-BIGIP-14.1.2.1.0.14.4-ENG.iso, Hotfix-BIGIP-14.1.2.1.0.16.4-ENG.iso, Hotfix-BIGIP-14.1.2.1.0.34.4-ENG.iso, Hotfix-BIGIP-14.1.2.1.0.97.4-ENG.iso, Hotfix-BIGIP-14.1.2.1.0.99.4-ENG.iso, Hotfix-BIGIP-14.1.2.1.0.105.4-ENG.iso, Hotfix-BIGIP-14.1.2.1.0.111.4-ENG.iso, Hotfix-BIGIP-14.1.2.1.0.115.4-ENG.iso, Hotfix-BIGIP-14.1.2.1.0.122.4-ENG.iso, Hotfix-BIGIP-15.0.1.0.33.11-ENG.iso, Hotfix-BIGIP-15.0.1.0.48.11-ENG.iso

Action-Not Available
Vendor-n/aF5, Inc.
Product-big-ip_application_acceleration_managerbig-ip_link_controllerbig-ip_policy_enforcement_managerbig-ip_fraud_protection_servicebig-ip_global_traffic_managerbig-ip_local_traffic_managerbig-ip_access_policy_managerbig-ip_analyticsbig-ip_domain_name_systembig-ip_advanced_firewall_managerbig-ip_application_security_managerBIG-IP
CWE ID-CWE-287
Improper Authentication
CVE-2024-5732
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.26% / 49.13%
||
7 Day CHG~0.00%
Published-07 Jun, 2024 | 10:00
Updated-01 Aug, 2024 | 21:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Clash Proxy Port improper authentication

A vulnerability was found in Clash up to 0.20.1 on Windows. It has been declared as critical. This vulnerability affects unknown code of the component Proxy Port. The manipulation leads to improper authentication. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. It is recommended to change the configuration settings. VDB-267406 is the identifier assigned to this vulnerability.

Action-Not Available
Vendor-clashforwindowsn/a
Product-clashClash
CWE ID-CWE-287
Improper Authentication
CVE-2024-11015
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-9.8||CRITICAL
EPSS-0.19% / 40.51%
||
7 Day CHG~0.00%
Published-12 Dec, 2024 | 03:23
Updated-12 Dec, 2024 | 16:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Sign In With Google <= 1.8.0 - Authentication Bypass in authenticate_user

The Sign In With Google plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.8.0. This is due to the 'authenticate_user' user function not implementing sufficient null value checks when setting the access token and user information. This makes it possible for unauthenticated attackers to log in as the first user who has signed in using Google OAuth, which could be the site administrator.

Action-Not Available
Vendor-tarecord
Product-Sign In With Google
CWE ID-CWE-287
Improper Authentication
CVE-2013-7137
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-10.88% / 93.22%
||
7 Day CHG~0.00%
Published-26 Jan, 2014 | 01:00
Updated-11 Apr, 2025 | 00:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The "remember me" functionality in login.php in Burden before 1.8.1 allows remote attackers to bypass authentication and gain privileges by setting the burden_user_rememberme cookie to 1.

Action-Not Available
Vendor-burden_projectn/a
Product-burdenn/a
CWE ID-CWE-287
Improper Authentication
CVE-2024-48445
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-3.15% / 86.62%
||
7 Day CHG~0.00%
Published-04 Feb, 2025 | 00:00
Updated-06 Feb, 2025 | 15:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue in compop.ca ONLINE MALL v.3.5.3 allows a remote attacker to execute arbitrary code via the rid, tid, et, and ts parameters.

Action-Not Available
Vendor-n/a
Product-n/a
CWE ID-CWE-287
Improper Authentication
CVE-2024-1039
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
ShareView Details
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
CVSS Score-9.8||CRITICAL
EPSS-0.13% / 32.28%
||
7 Day CHG+0.02%
Published-01 Feb, 2024 | 21:38
Updated-07 Aug, 2025 | 19:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Use of Hard-coded Credentials in Gessler GmbH WEB-MASTER

Gessler GmbH WEB-MASTER has a restoration account that uses weak hard coded credentials and if exploited could allow an attacker control over the web management of the device.

Action-Not Available
Vendor-gesslergmbhGessler GmbH
Product-web-masterweb-master_firmwareWEB-MASTER
CWE ID-CWE-287
Improper Authentication
CWE ID-CWE-798
Use of Hard-coded Credentials
CVE-2013-3367
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.51% / 65.86%
||
7 Day CHG~0.00%
Published-13 Nov, 2019 | 20:43
Updated-06 Aug, 2024 | 16:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Undocumented TELNET service in TRENDnet TEW-691GR and TEW-692GR when a web page named backdoor contains an HTML parameter of password and a value of j78G¬DFdg_24Mhw3.

Action-Not Available
Vendor-n/aTRENDnet, Inc.
Product-tew-691grtew-691gr_firmwaretew-692grtew-692gr_firmwaren/a
CWE ID-CWE-287
Improper Authentication
CVE-2024-11087
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-8.1||HIGH
EPSS-0.35% / 56.82%
||
7 Day CHG~0.00%
Published-08 Mar, 2025 | 07:04
Updated-13 Mar, 2025 | 13:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
miniOrange Social Login and Register (Discord, Google, Twitter, LinkedIn) Pro Addon <= 200.3.9 - Authentication Bypass

The miniOrange Social Login and Register (Discord, Google, Twitter, LinkedIn) Pro Addon plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 200.3.9. This is due to insufficient verification on the user being returned by the social login token. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the username and the user does not have an already-existing account for the service returning the token.

Action-Not Available
Vendor-miniorangecyberlord92
Product-social_loginminiOrange Social Login and Register (Discord, Google, Twitter, LinkedIn) Pro Addon
CWE ID-CWE-287
Improper Authentication
CVE-2024-0988
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.3||MEDIUM
EPSS-0.17% / 37.98%
||
7 Day CHG~0.00%
Published-29 Jan, 2024 | 00:00
Updated-12 Sep, 2024 | 18:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Sichuan Yougou Technology KuERP common.php checklogin improper authentication

A vulnerability classified as critical was found in Sichuan Yougou Technology KuERP up to 1.0.4. Affected by this vulnerability is the function checklogin of the file /application/index/common.php. The manipulation of the argument App_User_id/App_user_Token leads to improper authentication. The exploit has been disclosed to the public and may be used. The identifier VDB-252253 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-kuerp_projectSichuan Yougou Technology
Product-kuerpKuERP
CWE ID-CWE-287
Improper Authentication
CVE-2022-4126
Matching Score-4
Assigner-Asea Brown Boveri Ltd. (ABB)
ShareView Details
Matching Score-4
Assigner-Asea Brown Boveri Ltd. (ABB)
CVSS Score-9.6||CRITICAL
EPSS-0.29% / 51.89%
||
7 Day CHG~0.00%
Published-27 Mar, 2023 | 04:46
Updated-19 Feb, 2025 | 16:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Use of Default Password

Use of Default Password vulnerability in ABB RCCMD on Windows, Linux, MacOS allows Try Common or Default Usernames and Passwords.This issue affects RCCMD: before 4.40 230207.

Action-Not Available
Vendor-ABBLinux Kernel Organization, IncMicrosoft CorporationApple Inc.
Product-rccmdwindowsmacoslinux_kernelRCCMD
CWE ID-CWE-1393
Use of Default Password
CWE ID-CWE-287
Improper Authentication
CVE-2019-20786
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.22% / 78.76%
||
7 Day CHG~0.00%
Published-19 Apr, 2020 | 19:57
Updated-05 Aug, 2024 | 02:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

handleIncomingPacket in conn.go in Pion DTLS before 1.5.2 lacks a check for application data with epoch 0, which allows remote attackers to inject arbitrary unencrypted data after handshake completion.

Action-Not Available
Vendor-pionn/a
Product-dtlsn/a
CWE ID-CWE-287
Improper Authentication
CVE-2024-53704
Matching Score-4
Assigner-SonicWall, Inc.
ShareView Details
Matching Score-4
Assigner-SonicWall, Inc.
CVSS Score-8.2||HIGH
EPSS-94.06% / 99.90%
||
7 Day CHG+0.24%
Published-09 Jan, 2025 | 06:52
Updated-31 Oct, 2025 | 15:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Known KEV||Action Due Date - 2025-03-11||Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

An Improper Authentication vulnerability in the SSLVPN authentication mechanism allows a remote attacker to bypass authentication.

Action-Not Available
Vendor-SonicWall Inc.
Product-tz270nsa_4700sonicostz470wnssp_11700tz570tz670nsa_3700nsa_5700tz270wtz470tz370wtz570wnsv_870nssp_13700nssp_15700nssp_10700tz570pnsv_270nsa_6700tz80nsa_2700nsv_470tz370SonicOSSonicOS
CWE ID-CWE-287
Improper Authentication
CVE-2013-4982
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-39.62% / 97.21%
||
7 Day CHG~0.00%
Published-27 Dec, 2019 | 16:53
Updated-06 Aug, 2024 | 16:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

AVTECH AVN801 DVR has a security bypass via the administration login captcha

Action-Not Available
Vendor-n/aAvtec (Motorola Solutions)
Product-avn801_dvr_firmwareavn801_dvrn/a
CWE ID-CWE-287
Improper Authentication
CVE-2024-0799
Matching Score-4
Assigner-Tenable Network Security, Inc.
ShareView Details
Matching Score-4
Assigner-Tenable Network Security, Inc.
CVSS Score-9.8||CRITICAL
EPSS-48.83% / 97.68%
||
7 Day CHG+2.89%
Published-13 Mar, 2024 | 18:57
Updated-16 Dec, 2025 | 18:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Authentication Bypass via wizardLogin in Arcserve Unified Data Protection

An authentication bypass vulnerability exists in Arcserve Unified Data Protection 9.2 and 8.1 in the edge-app-base-webui.jar!com.ca.arcserve.edge.app.base.ui.server.EdgeLoginServiceImpl.doLogin() function within wizardLogin.

Action-Not Available
Vendor-Arcserve, LLC
Product-udpUnified Data Protectionarcserve_unified_data_protection
CWE ID-CWE-287
Improper Authentication
CVE-2013-4976
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-8.26% / 92.05%
||
7 Day CHG~0.00%
Published-27 Dec, 2019 | 16:48
Updated-06 Aug, 2024 | 16:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Hikvision DS-2CD7153-E IP Camera has security bypass via hardcoded credentials

Action-Not Available
Vendor-n/aHIKVISION
Product-ds-2cd7153-e_firmwareds-2cd7153-en/a
CWE ID-CWE-287
Improper Authentication
CVE-2024-47078
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-8.1||HIGH
EPSS-0.05% / 16.14%
||
7 Day CHG+0.01%
Published-25 Sep, 2024 | 15:32
Updated-02 Dec, 2024 | 18:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Meshtastic firmware Authentication/Authorization Bypass via MQTT

Meshtastic is an open source, off-grid, decentralized, mesh network. Meshtastic uses MQTT to communicate over an internet connection to a shared or private MQTT Server. Nodes can communicate directly via an internet connection or proxied through a connected phone (i.e., via bluetooth). Prior to version 2.5.1, multiple weaknesses in the MQTT implementation allow for authentication and authorization bypasses resulting in unauthorized control of MQTT-connected nodes. Version 2.5.1 contains a patch.

Action-Not Available
Vendor-meshtasticmeshtasticmeshtastic
Product-meshtastic_firmwarefirmwarefirmware
CWE ID-CWE-287
Improper Authentication
CWE ID-CWE-863
Incorrect Authorization
CVE-2013-5122
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-4.11% / 88.36%
||
7 Day CHG~0.00%
Published-07 Jan, 2020 | 13:29
Updated-06 Aug, 2024 | 17:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cisco Linksys Routers EA2700, EA3500, E4200, EA4500: A bug can cause an unsafe TCP port to open which leads to unauthenticated access

Action-Not Available
Vendor-n/aCisco Systems, Inc.
Product-linksys_e4200_firmwarelinksys_ea4500_firmwarelinksys_ea4500linksys_e4200linksys_ea3500_firmwarelinksys_ea2700linksys_ea3500linksys_ea2700_firmwaren/a
CWE ID-CWE-287
Improper Authentication
CVE-2013-4621
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.12% / 31.90%
||
7 Day CHG~0.00%
Published-27 Dec, 2019 | 16:21
Updated-06 Aug, 2024 | 16:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Magnolia CMS before 4.5.9 has multiple access bypass vulnerabilities

Action-Not Available
Vendor-magdevgroupn/a
Product-magnolia_cmsn/a
CWE ID-CWE-287
Improper Authentication
CVE-2024-47533
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-9.8||CRITICAL
EPSS-69.66% / 98.62%
||
7 Day CHG+1.07%
Published-18 Nov, 2024 | 16:33
Updated-19 Nov, 2024 | 21:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cobbler allows anyone to connect to cobbler XML-RPC server with a known password and make changes

Cobbler, a Linux installation server that allows for rapid setup of network installation environments, has an improper authentication vulnerability starting in version 3.0.0 and prior to versions 3.2.3 and 3.3.7. `utils.get_shared_secret()` always returns `-1`, which allows anyone to connect to cobbler XML-RPC as user `''` password `-1` and make any changes. This gives anyone with network access to a cobbler server full control of the server. Versions 3.2.3 and 3.3.7 fix the issue.

Action-Not Available
Vendor-cobblercobbler_project
Product-cobblercobbler
CWE ID-CWE-287
Improper Authentication
CVE-2024-47218
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.05% / 14.17%
||
7 Day CHG~0.00%
Published-22 Sep, 2024 | 00:00
Updated-28 Apr, 2025 | 17:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in vesoft NebulaGraph through 3.8.0. It allows bypassing authentication.

Action-Not Available
Vendor-vesoftn/aversoft
Product-nebulagraph_databasen/anebulagraph_studio
CWE ID-CWE-287
Improper Authentication
CVE-2023-6768
Matching Score-4
Assigner-Spanish National Cybersecurity Institute, S.A. (INCIBE)
ShareView Details
Matching Score-4
Assigner-Spanish National Cybersecurity Institute, S.A. (INCIBE)
CVSS Score-9.4||CRITICAL
EPSS-0.07% / 20.80%
||
7 Day CHG~0.00%
Published-20 Dec, 2023 | 09:49
Updated-16 Sep, 2024 | 18:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Authentication bypass vulnerability in Amazing Little Poll

Authentication bypass vulnerability in Amazing Little Poll affecting versions 1.3 and 1.4. This vulnerability could allow an unauthenticated user to access the admin panel without providing any credentials by simply accessing the "lp_admin.php?adminstep=" parameter.

Action-Not Available
Vendor-mr-cornerAmazing Little poll
Product-amazing_little_pollAmazing Little poll
CWE ID-CWE-287
Improper Authentication
CVE-2013-3091
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-5.03% / 89.52%
||
7 Day CHG~0.00%
Published-07 Feb, 2020 | 18:03
Updated-06 Aug, 2024 | 16:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An Authentication Bypass vulnerability in Belkin N300 (F7D7301v1) router allows remote attackers to bypass authentication using "Javascript debugging."

Action-Not Available
Vendor-n/aBelkin International, Inc.
Product-n300n300_firmwaren/a
CWE ID-CWE-287
Improper Authentication
CVE-2013-3215
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-73.67% / 98.78%
||
7 Day CHG~0.00%
Published-29 Jan, 2020 | 17:21
Updated-06 Aug, 2024 | 16:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

vtiger CRM 5.4.0 and earlier contain an Authentication Bypass Vulnerability due to improper authentication validation in the validateSession function.

Action-Not Available
Vendor-vtigern/a
Product-vtiger_crmn/a
CWE ID-CWE-287
Improper Authentication
CVE-2013-3317
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.21% / 78.67%
||
7 Day CHG~0.00%
Published-29 Jan, 2020 | 21:18
Updated-06 Aug, 2024 | 16:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Netgear WNR1000v3 with firmware before 1.0.2.60 contains an Authentication Bypass via the NtgrBak key.

Action-Not Available
Vendor-n/aNETGEAR, Inc.
Product-wnr1000_firmwarewnr1000n/a
CWE ID-CWE-287
Improper Authentication
CVE-2013-3071
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.23% / 78.91%
||
7 Day CHG~0.00%
Published-28 Jan, 2020 | 20:03
Updated-06 Aug, 2024 | 16:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

NETGEAR Centria WNDR4700 devices with firmware 1.0.0.34 allow authentication bypass.

Action-Not Available
Vendor-n/aNETGEAR, Inc.
Product-wndr4700_firmwarewndr4700n/a
CWE ID-CWE-287
Improper Authentication
CVE-2013-3316
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.21% / 78.67%
||
7 Day CHG~0.00%
Published-29 Jan, 2020 | 21:15
Updated-06 Aug, 2024 | 16:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Netgear WNR1000v3 with firmware before 1.0.2.60 contains an Authentication Bypass due to the server skipping checks for URLs containing a ".jpg".

Action-Not Available
Vendor-n/aNETGEAR, Inc.
Product-wnr1000_firmwarewnr1000n/a
CWE ID-CWE-287
Improper Authentication
CVE-2022-2765
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.3||MEDIUM
EPSS-0.61% / 69.42%
||
7 Day CHG~0.00%
Published-11 Aug, 2022 | 09:30
Updated-15 Apr, 2025 | 13:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SourceCodester Company Website CMS settings improper authentication

A vulnerability was found in SourceCodester Company Website CMS 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /dashboard/settings. The manipulation leads to improper authentication. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-206161 was assigned to this vulnerability.

Action-Not Available
Vendor-company_website_cms_projectSourceCodester
Product-company_website_cmsCompany Website CMS
CWE ID-CWE-287
Improper Authentication
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2019-20027
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.35% / 57.03%
||
7 Day CHG~0.00%
Published-29 Jul, 2020 | 17:29
Updated-05 Aug, 2024 | 02:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Aspire-derived NEC PBXes, including the SV8100, SV9100, SL1100 and SL2100 with software releases 7.0 or higher contain the possibility if incorrectly configured to allow a blank username and password combination to be entered as a valid, successfully authenticating account.

Action-Not Available
Vendor-n/aNEC Corporation
Product-sv8100_firmwaresl1100_firmwaresv9100sl2100_firmwaresv9100_firmwaresl1100sl2100sv8100n/a
CWE ID-CWE-287
Improper Authentication
CVE-2013-2681
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-43.17% / 97.41%
||
7 Day CHG~0.00%
Published-05 Feb, 2020 | 20:51
Updated-06 Aug, 2024 | 15:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cisco Linksys E4200 1.0.05 Build 7 devices contain a Security Bypass Vulnerability which could allow remote attackers to gain unauthorized access.

Action-Not Available
Vendor-n/aCisco Systems, Inc.
Product-linksys_e4200linksys_e4200_firmwaren/a
CWE ID-CWE-287
Improper Authentication
CVE-2025-55234
Matching Score-4
Assigner-Microsoft Corporation
ShareView Details
Matching Score-4
Assigner-Microsoft Corporation
CVSS Score-8.8||HIGH
EPSS-0.29% / 52.28%
||
7 Day CHG~0.00%
Published-09 Sep, 2025 | 17:01
Updated-20 Feb, 2026 | 16:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Windows SMB Elevation of Privilege Vulnerability

SMB Server might be susceptible to relay attacks depending on the configuration. An attacker who successfully exploited these vulnerabilities could perform relay attacks and make the users subject to elevation of privilege attacks. The SMB Server already supports mechanisms for hardening against relay attacks: SMB Server signing SMB Server Extended Protection for Authentication (EPA) Microsoft is releasing this CVE to provide customers with audit capabilities to help them to assess their environment and to identify any potential device or software incompatibility issues before deploying SMB Server hardening measures that protect against relay attacks. If you have not already enabled SMB Server hardening measures, we advise customers to take the following actions to be protected from these relay attacks: Assess your environment by utilizing the audit capabilities that we are exposing in the September 2025 security updates. See Support for Audit Events to deploy SMB Server Hardening—SMB Server Signing &amp; SMB Server EPA. Adopt appropriate SMB Server hardening measures.

Action-Not Available
Vendor-Microsoft Corporation
Product-windows_10_1507windows_11_22h2windows_server_2012windows_server_2008windows_10_21h2windows_11_23h2windows_11_24h2windows_server_2022windows_10_1607windows_10_22h2windows_server_2022_23h2windows_10_1809windows_server_2025windows_server_2019windows_server_2016Windows Server 2025Windows Server 2008 R2 Service Pack 1Windows 11 Version 23H2Windows Server 2012 (Server Core installation)Windows 10 Version 1809Windows Server 2008 Service Pack 2 (Server Core installation)Windows Server 2008 R2 Service Pack 1 (Server Core installation)Windows Server 2022, 23H2 Edition (Server Core installation)Windows 11 version 22H3Windows Server 2016 (Server Core installation)Windows 10 Version 22H2Windows Server 2019Windows Server 2022Windows 10 Version 1607Windows 11 Version 24H2Windows Server 2025 (Server Core installation)Windows Server 2019 (Server Core installation)Windows Server 2016Windows 11 version 22H2Windows Server 2012 R2Windows 10 Version 1507Windows 10 Version 21H2Windows Server 2008 Service Pack 2Windows Server 2012Windows Server 2012 R2 (Server Core installation)
CWE ID-CWE-287
Improper Authentication
  • Previous
  • 1
  • 2
  • 3
  • 4
  • ...
  • 14
  • 15
  • Next
Details not found