CWE-294
Authentication Bypass by Capture-replay
A capture-replay flaw exists when the design of the product makes it possible for a malicious user to sniff network traffic and bypass authentication by replaying it to the server in question to the same effect as the original message (or with minor changes).
CVE-2025-46815 (GCVE-0-2025-46815)
Vulnerability from cvelistv5 – Published: 2025-05-06 17:13 – Updated: 2025-05-06 18:21
VLAI
Title
ZITADEL Allows IdP Intent Token Reuse
Summary
The identity infrastructure software ZITADEL offers developers the ability to manage user sessions using the Session API. This API enables the use of IdPs for authentication, known as idp intents. Following a successful idp intent, the client receives an id and token on a predefined URI. These id and token can then be used to authenticate the user or their session. However, prior to versions 3.0.0, 2.71.9, and 2.70.10, it was possible to exploit this feature by repeatedly using intents. This allowed an attacker with access to the application’s URI to retrieve the id and token, enabling them to authenticate on behalf of the user. It's important to note that the use of additional factors (MFA) prevents a complete authentication process and, consequently, access to the ZITADEL API. Versions 3.0.0, 2.71.9, and 2.70.10 contain a fix for the issue. No known workarounds other than upgrading are available.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://github.com/zitadel/zitadel/security/advis… | x_refsource_CONFIRM |
| https://github.com/zitadel/zitadel/commit/b1e60e7… | x_refsource_MISC |
| https://github.com/zitadel/zitadel/releases/tag/v… | x_refsource_MISC |
| https://github.com/zitadel/zitadel/releases/tag/v2.71.9 | x_refsource_MISC |
| https://github.com/zitadel/zitadel/releases/tag/v3.0.0 | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-46815",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-06T18:20:59.907100Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-06T18:21:14.384Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "zitadel",
"vendor": "zitadel",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.0.0-rc.1, \u003c 3.0.0"
},
{
"status": "affected",
"version": "\u003c 2.70.10"
},
{
"status": "affected",
"version": "\u003e= 2.71.0, \u003c 2.71.9"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The identity infrastructure software ZITADEL offers developers the ability to manage user sessions using the Session API. This API enables the use of IdPs for authentication, known as idp intents. Following a successful idp intent, the client receives an id and token on a predefined URI. These id and token can then be used to authenticate the user or their session. However, prior to versions 3.0.0, 2.71.9, and 2.70.10, it was possible to exploit this feature by repeatedly using intents. This allowed an attacker with access to the application\u2019s URI to retrieve the id and token, enabling them to authenticate on behalf of the user. It\u0027s important to note that the use of additional factors (MFA) prevents a complete authentication process and, consequently, access to the ZITADEL API. Versions 3.0.0, 2.71.9, and 2.70.10 contain a fix for the issue. No known workarounds other than upgrading are available."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-613",
"description": "CWE-613: Insufficient Session Expiration",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-294",
"description": "CWE-294: Authentication Bypass by Capture-replay",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-384",
"description": "CWE-384: Session Fixation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-06T17:13:53.878Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/zitadel/zitadel/security/advisories/GHSA-g4r8-mp7g-85fq",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-g4r8-mp7g-85fq"
},
{
"name": "https://github.com/zitadel/zitadel/commit/b1e60e7398d677f08b06fd7715227f70b7ca1162",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/commit/b1e60e7398d677f08b06fd7715227f70b7ca1162"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.70.10",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.70.10"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.71.9",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.71.9"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v3.0.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v3.0.0"
}
],
"source": {
"advisory": "GHSA-g4r8-mp7g-85fq",
"discovery": "UNKNOWN"
},
"title": "ZITADEL Allows IdP Intent Token Reuse"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-46815",
"datePublished": "2025-05-06T17:13:53.878Z",
"dateReserved": "2025-04-30T19:41:58.133Z",
"dateUpdated": "2025-05-06T18:21:14.384Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-47706 (GCVE-0-2025-47706)
Vulnerability from cvelistv5 – Published: 2025-05-14 17:02 – Updated: 2025-05-19 14:27
VLAI
Title
Enterprise MFA - TFA for Drupal - Moderately critical - Access bypass - SA-CONTRIB-2025-052
Summary
Authentication Bypass by Capture-replay vulnerability in Drupal Enterprise MFA - TFA for Drupal allows Remote Services with Stolen Credentials.This issue affects Enterprise MFA - TFA for Drupal: from 0.0.0 before 4.7.0, from 5.0.0 before 5.2.0.
Severity
4.8 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-294 - Authentication Bypass by Capture-replay
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Drupal | Enterprise MFA - TFA for Drupal |
Affected:
0.0.0 , < 4.7.0
(semver)
Affected: 5.0.0 , < 5.2.0 (semver) |
Date Public
2025-05-07 17:07
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-47706",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-19T14:26:27.918933Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-19T14:27:48.058Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/miniorange_2fa",
"defaultStatus": "unaffected",
"product": "Enterprise MFA - TFA for Drupal",
"repo": "https://git.drupalcode.org/project/miniorange_2fa",
"vendor": "Drupal",
"versions": [
{
"lessThan": "4.7.0",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
},
{
"lessThan": "5.2.0",
"status": "affected",
"version": "5.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Conrad Lara (cmlara)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Sudhanshu Dhage (sudhanshu0542)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison (greggles)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Juraj Nemec (poker10)"
}
],
"datePublic": "2025-05-07T17:07:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Authentication Bypass by Capture-replay vulnerability in Drupal Enterprise MFA - TFA for Drupal allows Remote Services with Stolen Credentials.\u003cp\u003eThis issue affects Enterprise MFA - TFA for Drupal: from 0.0.0 before 4.7.0, from 5.0.0 before 5.2.0.\u003c/p\u003e"
}
],
"value": "Authentication Bypass by Capture-replay vulnerability in Drupal Enterprise MFA - TFA for Drupal allows Remote Services with Stolen Credentials.This issue affects Enterprise MFA - TFA for Drupal: from 0.0.0 before 4.7.0, from 5.0.0 before 5.2.0."
}
],
"impacts": [
{
"capecId": "CAPEC-555",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-555 Remote Services with Stolen Credentials"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-294",
"description": "CWE-294 Authentication Bypass by Capture-replay",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-14T17:02:44.744Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2025-052"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Enterprise MFA - TFA for Drupal - Moderately critical - Access bypass - SA-CONTRIB-2025-052",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2025-47706",
"datePublished": "2025-05-14T17:02:44.744Z",
"dateReserved": "2025-05-07T16:02:44.265Z",
"dateUpdated": "2025-05-19T14:27:48.058Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-48012 (GCVE-0-2025-48012)
Vulnerability from cvelistv5 – Published: 2025-05-21 16:24 – Updated: 2025-05-21 16:49
VLAI
Title
One Time Password - Moderately critical - Access bypass - SA-CONTRIB-2025-063
Summary
Authentication Bypass by Capture-replay vulnerability in Drupal One Time Password allows Remote Services with Stolen Credentials.This issue affects One Time Password: from 0.0.0 before 1.3.0.
Severity
4.8 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-294 - Authentication Bypass by Capture-replay
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Drupal | One Time Password |
Affected:
0.0.0 , < 1.3.0
(semver)
|
Date Public
2025-05-14 18:05
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-48012",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-21T16:49:18.588523Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-21T16:49:32.969Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/one_time_password",
"defaultStatus": "unaffected",
"product": "One Time Password",
"repo": "https://git.drupalcode.org/project/one_time_password",
"vendor": "Drupal",
"versions": [
{
"lessThan": "1.3.0",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Conrad Lara (cmlara)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "danielveza"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Lee Rowlands (larowlan)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Ivo Van Geertruyen (mr.baileys)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison (greggles)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Juraj Nemec (poker10)"
}
],
"datePublic": "2025-05-14T18:05:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Authentication Bypass by Capture-replay vulnerability in Drupal One Time Password allows Remote Services with Stolen Credentials.\u003cp\u003eThis issue affects One Time Password: from 0.0.0 before 1.3.0.\u003c/p\u003e"
}
],
"value": "Authentication Bypass by Capture-replay vulnerability in Drupal One Time Password allows Remote Services with Stolen Credentials.This issue affects One Time Password: from 0.0.0 before 1.3.0."
}
],
"impacts": [
{
"capecId": "CAPEC-555",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-555 Remote Services with Stolen Credentials"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-294",
"description": "CWE-294 Authentication Bypass by Capture-replay",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-21T16:24:07.429Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2025-063"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "One Time Password - Moderately critical - Access bypass - SA-CONTRIB-2025-063",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2025-48012",
"datePublished": "2025-05-21T16:24:07.429Z",
"dateReserved": "2025-05-14T17:45:12.225Z",
"dateUpdated": "2025-05-21T16:49:32.969Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-49752 (GCVE-0-2025-49752)
Vulnerability from cvelistv5 – Published: 2025-11-20 22:18 – Updated: 2026-02-26 16:07 Exclusively Hosted Service
VLAI
Title
Azure Bastion Elevation of Privilege Vulnerability
Summary
Azure Bastion Elevation of Privilege Vulnerability
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-294 - Authentication Bypass by Capture-replay
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://msrc.microsoft.com/update-guide/vulnerabi… | vendor-advisorypatch |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Microsoft | Azure Bastion Developer |
Affected:
-
|
Date Public
2025-11-20 08:00
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-49752",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-22T04:55:20.993686Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-26T16:07:43.342Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Azure Bastion Developer",
"vendor": "Microsoft",
"versions": [
{
"status": "affected",
"version": "-"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:microsoft:azure_bastion_developer:*:*:*:*:*:*:*:*",
"versionStartIncluding": "-",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"datePublic": "2025-11-20T08:00:00.000Z",
"descriptions": [
{
"lang": "en-US",
"value": "Azure Bastion Elevation of Privilege Vulnerability"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 10,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L/E:U/RL:O/RC:C",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-294",
"description": "CWE-294: Authentication Bypass by Capture-replay",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-13T20:45:59.672Z",
"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"shortName": "microsoft"
},
"references": [
{
"name": "Azure Bastion Elevation of Privilege Vulnerability",
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-49752"
}
],
"tags": [
"exclusively-hosted-service"
],
"title": "Azure Bastion Elevation of Privilege Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"assignerShortName": "microsoft",
"cveId": "CVE-2025-49752",
"datePublished": "2025-11-20T22:18:37.511Z",
"dateReserved": "2025-06-09T22:49:37.619Z",
"dateUpdated": "2026-02-26T16:07:43.342Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-54810 (GCVE-0-2025-54810)
Vulnerability from cvelistv5 – Published: 2025-09-18 21:28 – Updated: 2025-09-19 13:11
VLAI
Title
Cognex In-Sight Explorer and In-Sight Camera Firmware Authentication Bypass by Capture-replay
Summary
Cognex In-Sight Explorer and In-Sight Camera Firmware expose
a proprietary protocol on TCP port 1069 to perform management operations
such as modifying system properties. The user management functionality
handles sensitive data such as registered usernames and passwords over
an unencrypted channel, allowing an adjacent attacker to intercept valid
credentials to gain access to the device.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
1 reference
Impacted products
5 products
| Vendor | Product | Version | |
|---|---|---|---|
| Cognex | In-Sight 2000 series |
Affected:
5.x , ≤ 6.5.1
(custom)
|
|
| Cognex | In-Sight 7000 series |
Affected:
5.x , ≤ 6.5.1
(custom)
|
|
| Cognex | In-Sight 8000 series |
Affected:
5.x , ≤ 6.5.1
(custom)
|
|
| Cognex | In-Sight 9000 series |
Affected:
5.x , ≤ 6.5.1
(custom)
|
|
| Cognex | In-Sight Explorer |
Affected:
5.x , ≤ 6.5.1
(custom)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-54810",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-19T13:11:28.075498Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-19T13:11:33.376Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "In-Sight 2000 series",
"vendor": "Cognex",
"versions": [
{
"lessThanOrEqual": "6.5.1",
"status": "affected",
"version": "5.x",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "In-Sight 7000 series",
"vendor": "Cognex",
"versions": [
{
"lessThanOrEqual": "6.5.1",
"status": "affected",
"version": "5.x",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "In-Sight 8000 series",
"vendor": "Cognex",
"versions": [
{
"lessThanOrEqual": "6.5.1",
"status": "affected",
"version": "5.x",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "In-Sight 9000 series",
"vendor": "Cognex",
"versions": [
{
"lessThanOrEqual": "6.5.1",
"status": "affected",
"version": "5.x",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "In-Sight Explorer",
"vendor": "Cognex",
"versions": [
{
"lessThanOrEqual": "6.5.1",
"status": "affected",
"version": "5.x",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Diego Giubertoni of Nozomi Networks reported these vulnerabilities to CISA."
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Cognex In-Sight Explorer and In-Sight Camera Firmware expose \n\na proprietary protocol on TCP port 1069 to perform management operations\n such as modifying system properties. The user management functionality \nhandles sensitive data such as registered usernames and passwords over \nan unencrypted channel, allowing an adjacent attacker to intercept valid\n credentials to gain access to the device."
}
],
"value": "Cognex In-Sight Explorer and In-Sight Camera Firmware expose \n\na proprietary protocol on TCP port 1069 to perform management operations\n such as modifying system properties. The user management functionality \nhandles sensitive data such as registered usernames and passwords over \nan unencrypted channel, allowing an adjacent attacker to intercept valid\n credentials to gain access to the device."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "ADJACENT",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-294",
"description": "CWE-294",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-18T21:28:19.297Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-261-06"
}
],
"source": {
"advisory": "ICSA-25-261-06",
"discovery": "EXTERNAL"
},
"title": "Cognex In-Sight Explorer and In-Sight Camera Firmware Authentication Bypass by Capture-replay",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Cognex reports that In-Sight Explorer based vision systems are legacy \nproducts not intended for new applications. To reduce risk, asset owners\n are advised to switch to next generation In-Sight Vision Suite based \nvision systems, such as the In-Sight 2800, In-Sight 3800, In-Sight 8900 \nseries embedded cameras.\n\n\u003cbr\u003e"
}
],
"value": "Cognex reports that In-Sight Explorer based vision systems are legacy \nproducts not intended for new applications. To reduce risk, asset owners\n are advised to switch to next generation In-Sight Vision Suite based \nvision systems, such as the In-Sight 2800, In-Sight 3800, In-Sight 8900 \nseries embedded cameras."
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2025-54810",
"datePublished": "2025-09-18T21:28:19.297Z",
"dateReserved": "2025-08-06T16:32:41.319Z",
"dateUpdated": "2025-09-19T13:11:33.376Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-6029 (GCVE-0-2025-6029)
Vulnerability from cvelistv5 – Published: 2025-06-13 14:25 – Updated: 2025-06-13 14:52
VLAI
Title
KIA-branded Aftermarket Generic Smart Keyless Entry System Replay Attack
Summary
Use of fixed learning codes, one code to lock the car and the other code to unlock it, the Key Fob Transmitter in KIA-branded Aftermarket Generic Smart Keyless Entry System, primarily distributed in Ecuador, which allows a replay attack.
Manufacture is unknown at the time of release. CVE Record will be updated once this is clarified.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://revers3everything.com/unlocking-thousands… | related |
| https://asrg.io/security-advisories/cve-2025-6029… | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| KIA | Aftermarket Generic Smart Keyless Entry System |
Affected:
KIA Ecuador Key Fobs version 2022/2023
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-6029",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-13T14:52:08.865188Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-13T14:52:13.217Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Aftermarket Generic Smart Keyless Entry System",
"vendor": "KIA",
"versions": [
{
"status": "affected",
"version": "KIA Ecuador Key Fobs version 2022/2023"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Danilo Erazo"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Use of fixed learning codes, one code to lock the car and the other code to unlock it, the\u0026nbsp;Key Fob Transmitter in KIA-branded Aftermarket Generic Smart Keyless Entry System, primarily distributed in Ecuador, which allows a replay attack.\u003cbr\u003e\u003cbr\u003eManufacture is unknown at the time of release.\u0026nbsp; CVE Record will be updated once this is clarified.\u0026nbsp;"
}
],
"value": "Use of fixed learning codes, one code to lock the car and the other code to unlock it, the\u00a0Key Fob Transmitter in KIA-branded Aftermarket Generic Smart Keyless Entry System, primarily distributed in Ecuador, which allows a replay attack.\n\nManufacture is unknown at the time of release.\u00a0 CVE Record will be updated once this is clarified."
}
],
"impacts": [
{
"capecId": "CAPEC-115",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-115 Authentication Bypass"
}
]
},
{
"capecId": "CAPEC-112",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-112 Brute Force"
}
]
},
{
"capecId": "CAPEC-117",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-117 Interception"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NO",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "ADJACENT",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/AU:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-307",
"description": "CWE-307 Improper Restriction of Excessive Authentication Attempts",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-294",
"description": "CWE-294 Authentication Bypass by Capture-replay",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-13T14:25:50.597Z",
"orgId": "c15abc07-96a9-4d11-a503-5d621bfe42ba",
"shortName": "ASRG"
},
"references": [
{
"tags": [
"related"
],
"url": "https://revers3everything.com/unlocking-thousands-of-cars-by-exploiting-learning-codes-from-key-fobs/"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://asrg.io/security-advisories/cve-2025-6029-kia-branded-aftermarket-generic-smart-keyless-entry-system-replay-attack/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cul\u003e\u003cli\u003eReplace the current Keyless Entry System (KES) with one that utilizes rolling code\u0026nbsp;technology.\u003c/li\u003e\u003cli\u003eAvoid using key fobs with fixed or learning-code systems.\u003c/li\u003e\u003c/ul\u003e"
}
],
"value": "* Replace the current Keyless Entry System (KES) with one that utilizes rolling code\u00a0technology.\n * Avoid using key fobs with fixed or learning-code systems."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "KIA-branded Aftermarket Generic Smart Keyless Entry System Replay Attack",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "c15abc07-96a9-4d11-a503-5d621bfe42ba",
"assignerShortName": "ASRG",
"cveId": "CVE-2025-6029",
"datePublished": "2025-06-13T14:25:50.597Z",
"dateReserved": "2025-06-12T14:11:07.087Z",
"dateUpdated": "2025-06-13T14:52:13.217Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-6030 (GCVE-0-2025-6030)
Vulnerability from cvelistv5 – Published: 2025-06-13 14:38 – Updated: 2025-06-13 14:51
VLAI
Title
Autoeastern Smart Keyless Entry System Replay Attack
Summary
Use of fixed learning codes, one code to lock the car and the other code to unlock it, in the Key Fob Transmitter in Cyclone Matrix TRF Smart Keyless Entry System, which allows a replay attack.
Research was completed on the 2024 KIA Soluto. Attack confirmed on other KIA Models in Ecuador.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://revers3everything.com/unlocking-thousands… | related |
| https://asrg.io/security-advisories/cve-2025-6030… | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Autoeastern | Cyclone Matrix TRF |
Affected:
2024 , ≤ 2025
(date)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-6030",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-13T14:51:32.465517Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-13T14:51:37.000Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Cyclone Matrix TRF",
"vendor": "Autoeastern",
"versions": [
{
"changes": [
{
"at": "L-ALARMATRF-001",
"status": "unaffected"
}
],
"lessThanOrEqual": "2025",
"status": "affected",
"version": "2024",
"versionType": "date"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Danilo Erazo"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Use of fixed learning codes, one code to lock the car and the other code to unlock it, in the\u0026nbsp;Key Fob Transmitter in Cyclone Matrix TRF\u0026nbsp;Smart Keyless Entry System, which allows a replay attack.\u003cbr\u003e\u003cbr\u003eResearch was completed on the 2024 KIA Soluto.\u0026nbsp; Attack confirmed on other KIA Models in Ecuador.\u0026nbsp;"
}
],
"value": "Use of fixed learning codes, one code to lock the car and the other code to unlock it, in the\u00a0Key Fob Transmitter in Cyclone Matrix TRF\u00a0Smart Keyless Entry System, which allows a replay attack.\n\nResearch was completed on the 2024 KIA Soluto.\u00a0 Attack confirmed on other KIA Models in Ecuador."
}
],
"impacts": [
{
"capecId": "CAPEC-115",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-115 Authentication Bypass"
}
]
},
{
"capecId": "CAPEC-112",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-112 Brute Force"
}
]
},
{
"capecId": "CAPEC-117",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-117 Interception"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NO",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "ADJACENT",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/AU:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-307",
"description": "CWE-307 Improper Restriction of Excessive Authentication Attempts",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-294",
"description": "CWE-294 Authentication Bypass by Capture-replay",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-13T14:38:58.103Z",
"orgId": "c15abc07-96a9-4d11-a503-5d621bfe42ba",
"shortName": "ASRG"
},
"references": [
{
"tags": [
"related"
],
"url": "https://revers3everything.com/unlocking-thousands-of-cars-by-exploiting-learning-codes-from-key-fobs/"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://asrg.io/security-advisories/cve-2025-6030-autoeastern-smart-keyless-entry-system-replay-attack/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cul\u003e\u003cli\u003eReplace the current Keyless Entry System (KES) with one that utilizes rolling code technology (L-ALARMATRF-001)\u003c/li\u003e\u003cli\u003eAvoid using key fobs with fixed or learning code systems.\u003c/li\u003e\u003c/ul\u003e"
}
],
"value": "* Replace the current Keyless Entry System (KES) with one that utilizes rolling code technology (L-ALARMATRF-001)\n * Avoid using key fobs with fixed or learning code systems."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Autoeastern Smart Keyless Entry System Replay Attack",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "c15abc07-96a9-4d11-a503-5d621bfe42ba",
"assignerShortName": "ASRG",
"cveId": "CVE-2025-6030",
"datePublished": "2025-06-13T14:38:58.103Z",
"dateReserved": "2025-06-12T14:11:08.030Z",
"dateUpdated": "2025-06-13T14:51:37.000Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-6533 (GCVE-0-2025-6533)
Vulnerability from cvelistv5 – Published: 2025-06-24 00:00 – Updated: 2025-06-25 15:02
VLAI
Title
xxyopen/201206030 novel-plus CATCHA LoginController.java ajaxLogin authentication replay
Summary
A vulnerability, which was classified as critical, has been found in xxyopen/201206030 novel-plus up to 5.1.3. Affected by this issue is the function ajaxLogin of the file novel-admin/src/main/java/com/java2nb/system/controller/LoginController.java of the component CATCHA Handler. The manipulation leads to authentication bypass by capture-replay. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://vuldb.com/?id.313652 | vdb-entrytechnical-description |
| https://vuldb.com/?ctiid.313652 | signaturepermissions-required |
| https://vuldb.com/?submit.596481 | third-party-advisory |
| https://blog.0xd00.com/blog/captcha-replay-attack… | related |
| https://blog.0xd00.com/blog/captcha-replay-attack… | exploit |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| xxyopen | novel-plus |
Affected:
5.1.0
Affected: 5.1.1 Affected: 5.1.2 Affected: 5.1.3 |
|
| 201206030 | novel-plus |
Affected:
5.1.0
Affected: 5.1.1 Affected: 5.1.2 Affected: 5.1.3 |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-6533",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-25T14:53:09.187955Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-25T15:02:40.680Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://blog.0xd00.com/blog/captcha-replay-attack-lead-to-brute-force-protection-bypass"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"CATCHA Handler"
],
"product": "novel-plus",
"vendor": "xxyopen",
"versions": [
{
"status": "affected",
"version": "5.1.0"
},
{
"status": "affected",
"version": "5.1.1"
},
{
"status": "affected",
"version": "5.1.2"
},
{
"status": "affected",
"version": "5.1.3"
}
]
},
{
"modules": [
"CATCHA Handler"
],
"product": "novel-plus",
"vendor": "201206030",
"versions": [
{
"status": "affected",
"version": "5.1.0"
},
{
"status": "affected",
"version": "5.1.1"
},
{
"status": "affected",
"version": "5.1.2"
},
{
"status": "affected",
"version": "5.1.3"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "bpy9ft (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability, which was classified as critical, has been found in xxyopen/201206030 novel-plus up to 5.1.3. Affected by this issue is the function ajaxLogin of the file novel-admin/src/main/java/com/java2nb/system/controller/LoginController.java of the component CATCHA Handler. The manipulation leads to authentication bypass by capture-replay. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way."
},
{
"lang": "de",
"value": "Eine kritische Schwachstelle wurde in xxyopen/201206030 novel-plus bis 5.1.3 entdeckt. Dies betrifft die Funktion ajaxLogin der Datei novel-admin/src/main/java/com/java2nb/system/controller/LoginController.java der Komponente CATCHA Handler. Durch das Beeinflussen mit unbekannten Daten kann eine authentication bypass by capture-replay-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk passieren. Die Komplexit\u00e4t eines Angriffs ist eher hoch. Sie ist schwierig ausnutzbar. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 5.6,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 5.6,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 5.1,
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-294",
"description": "Authentication Bypass by Capture-replay",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-24T00:00:12.882Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-313652 | xxyopen/201206030 novel-plus CATCHA LoginController.java ajaxLogin authentication replay",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.313652"
},
{
"name": "VDB-313652 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.313652"
},
{
"name": "Submit #596481 | xxyopen novel-plus 5.1.3 Improper Restriction of Excessive Authentication Attempts",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.596481"
},
{
"tags": [
"related"
],
"url": "https://blog.0xd00.com/blog/captcha-replay-attack-lead-to-brute-force-protection-bypass"
},
{
"tags": [
"exploit"
],
"url": "https://blog.0xd00.com/blog/captcha-replay-attack-lead-to-brute-force-protection-bypass#poc"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-06-23T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2025-06-23T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2025-06-23T16:37:35.000Z",
"value": "VulDB entry last update"
}
],
"title": "xxyopen/201206030 novel-plus CATCHA LoginController.java ajaxLogin authentication replay"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2025-6533",
"datePublished": "2025-06-24T00:00:12.882Z",
"dateReserved": "2025-06-23T14:32:23.248Z",
"dateUpdated": "2025-06-25T15:02:40.680Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-68671 (GCVE-0-2025-68671)
Vulnerability from cvelistv5 – Published: 2026-01-15 22:35 – Updated: 2026-01-20 16:28
VLAI
Title
lakeFS is Missing Timestamp Validation in S3 Gateway Authentication
Summary
lakeFS is an open-source tool that transforms object storage into a Git-like repositories. LakeFS's S3 gateway does not validate timestamps in authenticated requests, allowing replay attacks. Prior to 1.75.0, an attacker who captures a valid signed request (e.g., through network interception, logs, or compromised systems) can replay that request until credentials are rotated, even after the request is intended to expire. This vulnerability is fixed in 1.75.0.
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-294 - Authentication Bypass by Capture-replay
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/treeverse/lakeFS/security/advi… | x_refsource_CONFIRM |
| https://github.com/treeverse/lakeFS/issues/9599 | x_refsource_MISC |
| https://github.com/treeverse/lakeFS/commit/92966a… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-68671",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-20T16:28:39.500804Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-20T16:28:55.951Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "lakeFS",
"vendor": "treeverse",
"versions": [
{
"status": "affected",
"version": "\u003c 1.75.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "lakeFS is an open-source tool that transforms object storage into a Git-like repositories. LakeFS\u0027s S3 gateway does not validate timestamps in authenticated requests, allowing replay attacks. Prior to 1.75.0, an attacker who captures a valid signed request (e.g., through network interception, logs, or compromised systems) can replay that request until credentials are rotated, even after the request is intended to expire. This vulnerability is fixed in 1.75.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-294",
"description": "CWE-294: Authentication Bypass by Capture-replay",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-15T22:35:44.495Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/treeverse/lakeFS/security/advisories/GHSA-f2ph-gc9m-q55f",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/treeverse/lakeFS/security/advisories/GHSA-f2ph-gc9m-q55f"
},
{
"name": "https://github.com/treeverse/lakeFS/issues/9599",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/treeverse/lakeFS/issues/9599"
},
{
"name": "https://github.com/treeverse/lakeFS/commit/92966ae611d7f1a2bbe7fd56f9568c975aab2bd8",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/treeverse/lakeFS/commit/92966ae611d7f1a2bbe7fd56f9568c975aab2bd8"
}
],
"source": {
"advisory": "GHSA-f2ph-gc9m-q55f",
"discovery": "UNKNOWN"
},
"title": "lakeFS is Missing Timestamp Validation in S3 Gateway Authentication"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-68671",
"datePublished": "2026-01-15T22:35:44.495Z",
"dateReserved": "2025-12-22T23:37:00.931Z",
"dateUpdated": "2026-01-20T16:28:55.951Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-69197 (GCVE-0-2025-69197)
Vulnerability from cvelistv5 – Published: 2026-01-06 00:44 – Updated: 2026-01-06 19:01
VLAI
Title
Pterodactyl TOTPs can be reused during validity window
Summary
Pterodactyl is a free, open-source game server management panel. Versions 1.11.11 and below allow TOTP to be used multiple times during its validity window. Users with 2FA enabled are prompted to enter a token during sign-in, and afterward it is not sufficiently marked as used in the system. This allows an attacker who intercepts that token to use it in addition to a known username/password during the 60-second token validity window. The attacker must have intercepted a valid 2FA token (for example, during a screen share). This issue is fixed in version 1.12.0.
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/pterodactyl/panel/security/adv… | x_refsource_CONFIRM |
| https://github.com/pterodactyl/panel/commit/032bf… | x_refsource_MISC |
| https://github.com/pterodactyl/panel/releases/tag… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| pterodactyl | panel |
Affected:
< 1.12.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-69197",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-06T14:23:37.368932Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-06T19:01:05.967Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "panel",
"vendor": "pterodactyl",
"versions": [
{
"status": "affected",
"version": "\u003c 1.12.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Pterodactyl is a free, open-source game server management panel. Versions 1.11.11 and below allow TOTP to be used multiple times during its validity window. Users with 2FA enabled are prompted to enter a token during sign-in, and afterward it is not sufficiently marked as used in the system. This allows an attacker who intercepts that token to use it in addition to a known username/password during the 60-second token validity window. The attacker must have intercepted a valid 2FA token (for example, during a screen share). This issue is fixed in version 1.12.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287: Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-294",
"description": "CWE-294: Authentication Bypass by Capture-replay",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-06T00:44:23.399Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/pterodactyl/panel/security/advisories/GHSA-rgmp-4873-r683",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/pterodactyl/panel/security/advisories/GHSA-rgmp-4873-r683"
},
{
"name": "https://github.com/pterodactyl/panel/commit/032bf076d92bb2f929fa69c1bac1b89f26b8badf",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/pterodactyl/panel/commit/032bf076d92bb2f929fa69c1bac1b89f26b8badf"
},
{
"name": "https://github.com/pterodactyl/panel/releases/tag/v1.12.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/pterodactyl/panel/releases/tag/v1.12.0"
}
],
"source": {
"advisory": "GHSA-rgmp-4873-r683",
"discovery": "UNKNOWN"
},
"title": "Pterodactyl TOTPs can be reused during validity window"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-69197",
"datePublished": "2026-01-06T00:44:23.399Z",
"dateReserved": "2025-12-29T14:34:46.743Z",
"dateUpdated": "2026-01-06T19:01:05.967Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Mitigation
Phase: Architecture and Design
Description:
- Utilize some sequence or time stamping functionality along with a checksum which takes this into account in order to ensure that messages can be parsed only once.
Mitigation
Phase: Architecture and Design
Description:
- Since any attacker who can listen to traffic can see sequence numbers, it is necessary to sign messages with some kind of cryptography to ensure that sequence numbers are not simply doctored along with content.
CAPEC-102: Session Sidejacking
Session sidejacking takes advantage of an unencrypted communication channel between a victim and target system. The attacker sniffs traffic on a network looking for session tokens in unencrypted traffic. Once a session token is captured, the attacker performs malicious actions by using the stolen token with the targeted application to impersonate the victim. This attack is a specific method of session hijacking, which is exploiting a valid session token to gain unauthorized access to a target system or information. Other methods to perform a session hijacking are session fixation, cross-site scripting, or compromising a user or server machine and stealing the session token.
CAPEC-509: Kerberoasting
Through the exploitation of how service accounts leverage Kerberos authentication with Service Principal Names (SPNs), the adversary obtains and subsequently cracks the hashed credentials of a service account target to exploit its privileges. The Kerberos authentication protocol centers around a ticketing system which is used to request/grant access to services and to then access the requested services. As an authenticated user, the adversary may request Active Directory and obtain a service ticket with portions encrypted via RC4 with the private key of the authenticated account. By extracting the local ticket and saving it disk, the adversary can brute force the hashed value to reveal the target account credentials.
CAPEC-555: Remote Services with Stolen Credentials
This pattern of attack involves an adversary that uses stolen credentials to leverage remote services such as RDP, telnet, SSH, and VNC to log into a system. Once access is gained, any number of malicious activities could be performed.
CAPEC-561: Windows Admin Shares with Stolen Credentials
An adversary guesses or obtains (i.e. steals or purchases) legitimate Windows administrator credentials (e.g. userID/password) to access Windows Admin Shares on a local machine or within a Windows domain.
CAPEC-60: Reusing Session IDs (aka Session Replay)
This attack targets the reuse of valid session ID to spoof the target system in order to gain privileges. The attacker tries to reuse a stolen session ID used previously during a transaction to perform spoofing and session hijacking. Another name for this type of attack is Session Replay.
CAPEC-644: Use of Captured Hashes (Pass The Hash)
An adversary obtains (i.e. steals or purchases) legitimate Windows domain credential hash values to access systems within the domain that leverage the Lan Man (LM) and/or NT Lan Man (NTLM) authentication protocols.
CAPEC-645: Use of Captured Tickets (Pass The Ticket)
An adversary uses stolen Kerberos tickets to access systems/resources that leverage the Kerberos authentication protocol. The Kerberos authentication protocol centers around a ticketing system which is used to request/grant access to services and to then access the requested services. An adversary can obtain any one of these tickets (e.g. Service Ticket, Ticket Granting Ticket, Silver Ticket, or Golden Ticket) to authenticate to a system/resource without needing the account's credentials. Depending on the ticket obtained, the adversary may be able to access a particular resource or generate TGTs for any account within an Active Directory Domain.
CAPEC-652: Use of Known Kerberos Credentials
An adversary obtains (i.e. steals or purchases) legitimate Kerberos credentials (e.g. Kerberos service account userID/password or Kerberos Tickets) with the goal of achieving authenticated access to additional systems, applications, or services within the domain.
CAPEC-701: Browser in the Middle (BiTM)
An adversary exploits the inherent functionalities of a web browser, in order to establish an unnoticed remote desktop connection in the victim's browser to the adversary's system. The adversary must deploy a web client with a remote desktop session that the victim can access.
CAPEC-94: Adversary in the Middle (AiTM)
An adversary targets the communication between two components (typically client and server), in order to alter or obtain data from transactions. A general approach entails the adversary placing themself within the communication channel between the two components.