CVE & Exploit Intelligence Database

CVE-2025-47479 5.3 MEDIUM EPSS 0.00

Weak Authentication vulnerability in AresIT WP Compress allows Authentication Abuse. This issue affects WP Compress: from n/a through 6.30.30.

CWE-1390 Jul 04, 2025

CVE-2025-5484 8.3 HIGH EPSS 0.00

A username and password are required to authenticate to the central SinoTrack device management interface. The username for all devices is an identifier printed on the receiver. The default password is well-known and common to all devices. Modification of the default password is not enforced during device setup. A malicious actor can retrieve device identifiers with either physical access or by capturing identifiers from pictures of the devices posted on publicly accessible websites such as eBay.

CWE-1390 Jun 12, 2025

CVE-2024-32119 4.8 MEDIUM EPSS 0.00

An improper authentication vulnerability [CWE-287] in Fortinet FortiClientEMS version 7.4.0 and before 7.2.4 allows an unauthenticated attacker with the knowledge of the targeted user's FCTUID and VDOM to perform operations such as uploading or tagging on behalf of the targeted user via specially crafted TCP requests.

CWE-1390 Jun 10, 2025

CVE-2025-0605 4.6 MEDIUM EPSS 0.00

An issue has been discovered in GitLab CE/EE affecting all versions from 16.8 before 17.10.7, 17.11 before 17.11.3, and 18.0 before 18.0.1. Group access controls could allow certain users to bypass two-factor authentication requirements.

CWE-1390 May 22, 2025

CVE-2025-32885 6.5 MEDIUM 1 Writeup EPSS 0.00

An issue was discovered on goTenna v1 devices with app 5.5.3 and firmware 0.25.5. The app there makes it possible to inject any custom message (into existing v1 networks) with any GID and Callsign via a software defined radio. This can be exploited if the device is being used in an unencrypted environment or if the cryptography has already been compromised.

CWE-1390 May 01, 2025

CVE-2025-39596 9.8 CRITICAL 2 PoCs Analysis EPSS 0.00

Weak Authentication vulnerability in Quentn.com GmbH Quentn WP allows Privilege Escalation. This issue affects Quentn WP: from n/a through 1.2.8.

CWE-1390 Apr 17, 2025

CVE-2025-27740 8.8 HIGH EPSS 0.02

Weak authentication in Windows Active Directory Certificate Services allows an authorized attacker to elevate privileges over a network.

CWE-1390 Apr 08, 2025

CVE-2025-26635 6.5 MEDIUM EPSS 0.01

Weak authentication in Windows Hello allows an authorized attacker to bypass a security feature over a network.

CWE-1390 Apr 08, 2025

CVE-2024-54092 9.8 CRITICAL EPSS 0.00

A vulnerability has been identified in Industrial Edge Device Kit - arm64 V1.17 (All versions), Industrial Edge Device Kit - arm64 V1.18 (All versions), Industrial Edge Device Kit - arm64 V1.19 (All versions), Industrial Edge Device Kit - arm64 V1.20 (All versions < V1.20.2-1), Industrial Edge Device Kit - arm64 V1.21 (All versions < V1.21.1-1), Industrial Edge Device Kit - x86-64 V1.17 (All versions), Industrial Edge Device Kit - x86-64 V1.18 (All versions), Industrial Edge Device Kit - x86-64 V1.19 (All versions), Industrial Edge Device Kit - x86-64 V1.20 (All versions < V1.20.2-1), Industrial Edge Device Kit - x86-64 V1.21 (All versions < V1.21.1-1), Industrial Edge Own Device (IEOD) (All versions < V1.21.1-1-a), Industrial Edge Virtual Device (All versions < V1.21.1-1-a), SCALANCE LPE9413 (6GK5998-3GS01-2AC2) (All versions < V2.1), SIMATIC IPC BX-39A Industrial Edge Device (All versions < V3.0), SIMATIC IPC BX-59A Industrial Edge Device (All versions < V3.0), SIMATIC IPC127E Industrial Edge Device (All versions < V3.0), SIMATIC IPC227E Industrial Edge Device (All versions < V3.0), SIMATIC IPC427E Industrial Edge Device (All versions < V3.0), SIMATIC IPC847E Industrial Edge Device (All versions < V3.0). Affected devices do not properly enforce user authentication on specific API endpoints when identity federation is used. This could facilitate an unauthenticated remote attacker to circumvent authentication and impersonate a legitimate user. Successful exploitation requires that identity federation is currently or has previously been used and the attacker has learned the identity of a legitimate user.

CWE-1390 Apr 08, 2025

CVE-2024-45551 6.2 MEDIUM EPSS 0.00

Cryptographic issue occurs during PIN/password verification using Gatekeeper, where RPMB writes can be dropped on verification failure, potentially leading to a user throttling bypass.

CWE-1390 Apr 07, 2025

CVE-2025-29991 2.2 LOW EPSS 0.00

Yubico YubiKey 5.4.1 through 5.7.3 before 5.7.4 has an incorrect FIDO CTAP PIN/UV Auth Protocol Two implementation. It uses the signature length from CTAP PIN/UV Auth Protocol One, even when CTAP PIN/UV Auth Protocol Two was chosen, resulting in a partial signature verification.

CWE-1390 Apr 03, 2025

CVE-2025-31676 8.8 HIGH EPSS 0.00

Weak Authentication vulnerability in Drupal Email TFA allows Brute Force.This issue affects Email TFA: from 0.0.0 before 2.0.3.

CWE-1390 Mar 31, 2025

CVE-2025-29994 EPSS 0.00

This vulnerability exists in the CAP back office application due to improper authentication check at the API endpoint. An unauthenticated remote attacker with a valid login ID could exploit this vulnerability by manipulating API input parameters through API request URL/payload leading to unauthorized access to other user accounts.

CWE-1390 Mar 13, 2025

CVE-2025-24070 7.0 HIGH EPSS 0.00

Weak authentication in ASP.NET Core &amp; Visual Studio allows an unauthorized attacker to elevate privileges over a network.

CWE-1390 Mar 11, 2025

CVE-2025-1293 8.2 HIGH EPSS 0.00

Hermes versions up to 0.4.0 improperly validated the JWT provided when using the AWS ALB authentication mode, potentially allowing for authentication bypass. This vulnerability, CVE-2025-1293, was fixed in Hermes 0.5.0.

CWE-1390 Feb 20, 2025

CVE-2024-52541 8.2 HIGH EPSS 0.00

Dell Client Platform BIOS contains a Weak Authentication vulnerability. A high privileged attacker with local access could potentially exploit this vulnerability, leading to Elevation of Privileges.

CWE-1390 Feb 19, 2025

CVE-2025-1387 9.8 CRITICAL EPSS 0.00

Orca HCM from LEARNING DIGITAL has an Improper Authentication vulnerability, allowing unauthenticated remote attackers to log in to the system as any user.

CWE-1390 Feb 17, 2025

CVE-2025-26343 8.1 HIGH EPSS 0.00

A CWE-1390 "Weak Authentication" in the PIN authentication mechanism in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to brute-force user PINs via multiple crafted HTTP requests.

CWE-1390 Feb 12, 2025

CVE-2025-23058 8.8 HIGH EPSS 0.00

A vulnerability in the ClearPass Policy Manager web-based management interface allows a low-privileged (read-only) authenticated remote attacker to gain unauthorized access to data and the ability to execute functions that should be restricted to administrators only with read/write privileges. Successful exploitation could enable a low-privileged user to execute administrative functions leading to an escalation of privileges.

CWE-1390 Feb 04, 2025

CVE-2025-21552 6.5 MEDIUM EPSS 0.00

Vulnerability in the JD Edwards EnterpriseOne Orchestrator product of Oracle JD Edwards (component: E1 IOT Orchestrator Security). Supported versions that are affected are Prior to 9.2.9.2. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise JD Edwards EnterpriseOne Orchestrator. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all JD Edwards EnterpriseOne Orchestrator accessible data. CVSS 3.1 Base Score 6.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N).

CWE-1390 Jan 21, 2025