CVE-2025-4558

CRITICAL

GPM - WormHole Tech - Auth Bypass

Title source: llm

Description

The GPM from WormHole Tech has an Unverified Password Change vulnerability, allowing unauthenticated remote attackers to change any user's password and use the modified password to log into the system.

References (2)

[Various Sources] https://www.twcert.org.tw/tw/cp-132-10114-10b4b-1.html

[Various Sources] https://www.twcert.org.tw/en/cp-139-10115-f5f14-2.html

Scores

CVSS v3 9.8

EPSS 0.0059

EPSS Percentile 69.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-620

Status published

Products (1)

WormHole Tech/GPM < 202502

Published May 12, 2025

Tracked Since Feb 18, 2026