Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2026-5777

Summary
Assigner-CERT-In
Assigner Org ID-66834db9-ab24-42b4-be80-296b2e40335c
Published At-10 Apr, 2026 | 11:40
Updated At-10 Apr, 2026 | 12:42
Rejected At-
Credits

Security Misconfiguration Vulnerability in Atom 3x Projector

This vulnerability exists in the Atom 3x Projector due to improper exposure of the Android Debug Bridge (ADB) service over the local network without authentication or access controls. An unauthenticated attacker on the same network can exploit this vulnerability to obtain root-level access, leading to complete compromise of the targeted device.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:CERT-In
Assigner Org ID:66834db9-ab24-42b4-be80-296b2e40335c
Published At:10 Apr, 2026 | 11:40
Updated At:10 Apr, 2026 | 12:42
Rejected At:
▼CVE Numbering Authority (CNA)
Security Misconfiguration Vulnerability in Atom 3x Projector

This vulnerability exists in the Atom 3x Projector due to improper exposure of the Android Debug Bridge (ADB) service over the local network without authentication or access controls. An unauthenticated attacker on the same network can exploit this vulnerability to obtain root-level access, leading to complete compromise of the targeted device.

Affected Products
Vendor
EGate
Product
Atom 3X Projector
Default Status
unaffected
Versions
Affected
  • From Wed Jun 18 10:35:47 CST 2025 before Mar Tue 10 17:57:35 CST 2026 (date)
Problem Types
TypeCWE IDDescription
CWECWE-306CWE-306 Missing authentication for critical function
Type: CWE
CWE ID: CWE-306
Description: CWE-306 Missing authentication for critical function
Metrics
VersionBase scoreBase severityVector
4.08.7HIGH
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Version: 4.0
Base score: 8.7
Base severity: HIGH
Vector:
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Upgrade Atom 3x Projector to latest version

Configurations
Workarounds
Exploits
Credits
finder
This vulnerability is reported by Chetan Nimbulkar
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01&VLCODE=CIVN-2026-0179
third-party-advisory
Hyperlink: https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01&VLCODE=CIVN-2026-0179
Resource:
third-party-advisory
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:vdisclose@cert-in.org.in
Published At:10 Apr, 2026 | 12:16
Updated At:13 Apr, 2026 | 15:02

This vulnerability exists in the Atom 3x Projector due to improper exposure of the Android Debug Bridge (ADB) service over the local network without authentication or access controls. An unauthenticated attacker on the same network can exploit this vulnerability to obtain root-level access, leading to complete compromise of the targeted device.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary4.08.7HIGH
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Type: Secondary
Version: 4.0
Base score: 8.7
Base severity: HIGH
Vector:
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CPE Matches
Weaknesses
CWE IDTypeSource
CWE-306Primaryvdisclose@cert-in.org.in
CWE ID: CWE-306
Type: Primary
Source: vdisclose@cert-in.org.in
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01&VLCODE=CIVN-2026-0179vdisclose@cert-in.org.in
N/A
Hyperlink: https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01&VLCODE=CIVN-2026-0179
Source: vdisclose@cert-in.org.in
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

8Records found
CVE-2025-3759
Matching Score-4
Assigner-CERT.PL
ShareView Details
Matching Score-4
Assigner-CERT.PL
CVSS Score-8.7||HIGH
EPSS-0.10% / 27.92%
||
7 Day CHG~0.00%
Published-08 May, 2025 | 10:05
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Missing Authentication for Changing Device Configuration in WF2220

Endpoint /cgi-bin-igd/netcore_set.cgi which is used for changing device configuration is accessible without authentication. This poses a significant security threat allowing for e.g: administrator account hijacking or AP password changing. The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-Netis Systems Co., Ltd.
Product-WF2220
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2025-3758
Matching Score-4
Assigner-CERT.PL
ShareView Details
Matching Score-4
Assigner-CERT.PL
CVSS Score-8.7||HIGH
EPSS-0.12% / 31.48%
||
7 Day CHG~0.00%
Published-08 May, 2025 | 10:05
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Exposure of Device Configuration without Authentication in WF2220

WF2220 exposes endpoint /cgi-bin-igd/netcore_get.cgi that returns configuration of the device to unauthorized users. Returned configuration includes cleartext password. The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-Netis Systems Co., Ltd.
Product-WF2220
CWE ID-CWE-256
Plaintext Storage of a Password
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2024-47130
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
ShareView Details
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
CVSS Score-8.7||HIGH
EPSS-0.13% / 32.54%
||
7 Day CHG~0.00%
Published-26 Sep, 2024 | 17:30
Updated-17 Oct, 2024 | 18:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Missing Authentication for Critical Function in goTenna Pro

The goTenna Pro App allows unauthenticated attackers to remotely update the local public keys used for P2P and group messages. It is advised to update your app to the current release for enhanced encryption protocols.

Action-Not Available
Vendor-gotennagoTennagotenna
Product-gotenna_proPropro_app
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2025-8627
Matching Score-4
Assigner-TP-Link Systems Inc.
ShareView Details
Matching Score-4
Assigner-TP-Link Systems Inc.
CVSS Score-8.7||HIGH
EPSS-0.03% / 7.21%
||
7 Day CHG~0.00%
Published-25 Aug, 2025 | 21:17
Updated-15 Sep, 2025 | 14:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Unauthenticated Protocol Commands on TP-Link KP303

The TP-Link KP303 Smartplug can be issued unauthenticated protocol commands that may cause unintended power-off condition and potential information leak. This issue affects TP-Link KP303 (US) Smartplug: before 1.1.0.

Action-Not Available
Vendor-TP-Link Systems Inc.TP-Link Systems Inc.
Product-kp303_firmwarekp303TP-Link KP303 (US) Smartplug
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2025-7635
Matching Score-4
Assigner-Fluid Attacks
ShareView Details
Matching Score-4
Assigner-Fluid Attacks
CVSS Score-8.7||HIGH
EPSS-0.02% / 6.14%
||
7 Day CHG~0.00%
Published-09 Sep, 2025 | 20:08
Updated-22 Dec, 2025 | 20:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Calix GigaCenter ONT - Unauthenticated Telnet

Unauthenticated Telnet access vulnerability in Calix GigaCenter ONT allows root access.This issue affects GigaCenter ONT: 844E, 844G, 844GE, 854GE.

Action-Not Available
Vendor-calixCalix
Product-calix_gigacenter_ontGigaCenter ONT
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2025-65007
Matching Score-4
Assigner-CERT.PL
ShareView Details
Matching Score-4
Assigner-CERT.PL
CVSS Score-8.7||HIGH
EPSS-0.10% / 28.56%
||
7 Day CHG+0.02%
Published-18 Dec, 2025 | 15:10
Updated-19 Dec, 2025 | 18:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Missing Authentication for Critical Function in WODESYS WD-R608U router

In WODESYS WD-R608U router (also known as WDR122B V2.0 and WDR28) due to lack of authentication in the configuration change module in the adm.cgi endpoint, the unauthenticated attacker can execute commands including backup creation, device restart and resetting the device to factory settings. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version WDR28081123OV1.01 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.

Action-Not Available
Vendor-WODESYS
Product-WDR28WDR122B V2.0WD-R608U
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2025-4008
Matching Score-4
Assigner-ONEKEY GmbH
ShareView Details
Matching Score-4
Assigner-ONEKEY GmbH
CVSS Score-8.7||HIGH
EPSS-45.87% / 97.63%
||
7 Day CHG~0.00%
Published-21 May, 2025 | 15:31
Updated-26 Feb, 2026 | 18:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Known KEV||Action Due Date - 2025-10-23||Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Arbitrary Command Injection in Smartbedded MeteoBridge

The Meteobridge web interface let meteobridge administrator manage their weather station data collection and administer their meteobridge system through a web application written in CGI shell scripts and C. This web interface exposes an endpoint that is vulnerable to command injection. Remote unauthenticated attackers can gain arbitrary command execution with elevated privileges ( root ) on affected devices.

Action-Not Available
Vendor-smartbeddedSmartbeddedSmartbedded
Product-meteobridge_firmwaremeteobridge_vmMeteoBridgeMeteobridge
CWE ID-CWE-306
Missing Authentication for Critical Function
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2025-14300
Matching Score-4
Assigner-TP-Link Systems Inc.
ShareView Details
Matching Score-4
Assigner-TP-Link Systems Inc.
CVSS Score-8.7||HIGH
EPSS-0.12% / 30.57%
||
7 Day CHG~0.00%
Published-20 Dec, 2025 | 00:43
Updated-03 Apr, 2026 | 22:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Unauthenticated Access to connectAP API Endpoint on Tapo C100 and C200

The HTTPS service on Tapo C200 V3 exposes a connectAP interface without proper authentication. An unauthenticated attacker on the same local network segment can exploit this to modify the device’s Wi-Fi configuration, resulting in loss of connectivity and denial-of-service (DoS).

Action-Not Available
Vendor-TP Link Systems Inc.TP-Link Systems Inc.TP-Link Systems Inc.
Product-tapo_c200tapo_c200_firmwareTapo C200 V3Tapo C100 v5
CWE ID-CWE-306
Missing Authentication for Critical Function
Details not found