CVE-2025-28371

MEDIUM

EnGenius ENH500 AP 2T2R V3.0 FW3.7.22 - Incorrect Access Control via Password Change Function

Title source: llm

Description

EnGenius ENH500 AP 2T2R V3.0 FW3.7.22 is vulnerable to Incorrect Access Control via the password change function. The device fails to validate the current password, allowing an attacker to submit a password change request with an invalid current password and set a new password.

References (3)

Core 3

Core References

Exploit

https://drive.google.com/file/d/1kQFOyFQYycKynIBjbU8bMx2gYTG3Bxi2/view?usp=sharing

Third Party Advisory

https://pastebin.com/raw/EnL1XT2n

Third Party Advisory

https://pastebin.com/raw/hziq1nGH

Scores

CVSS v3 6.5

EPSS 0.0040

EPSS Percentile 31.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-284

Status published

Products (1)

engeniustech/enh500_firmware 3.7.22

Published May 19, 2025

Tracked Since Feb 18, 2026