CWE-1390
Weak Authentication
Description
The product uses an authentication mechanism to restrict access to specific users or identities, but the mechanism does not sufficiently prove that the claimed identity is correct.
Hierarchy (View 1000)
CVEs mapped to this weakness (33)
page 1 of 2| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-6274 | Cri | 0.64 | 9.8 | 0.00 | Jun 5, 2026 | Improper Authentication, Missing authentication for critical function, Weak Authentication vulnerability in DTS Electronics Industry and Trade Ltd. Co. Redline WR3200 allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Redline WR3200: from 7.1.3… | ||
| CVE-2026-6886 | — | Cri | 0.64 | 9.8 | 0.00 | Apr 23, 2026 | Borg SPM 2007 (Sales Ended in 2008) developed by BorG Technology Corporation has a Authentication Bypass vulnerability, allowing unauthenticated remote attackers to log into the system as any user. | |
| CVE-2025-39596 | Cri | 0.64 | 9.8 | 0.00 | Apr 17, 2025 | Weak Authentication vulnerability in Quentn.com GmbH Quentn WP quentn-wp allows Privilege Escalation.This issue affects Quentn WP: from n/a through <= 1.2.8. | ||
| CVE-2024-54092 | Cri | 0.64 | 9.8 | 0.01 | Apr 8, 2025 | A vulnerability has been identified in Industrial Edge Device Kit - arm64 V1.17 (All versions), Industrial Edge Device Kit - arm64 V1.18 (All versions), Industrial Edge Device Kit - arm64 V1.19 (All versions), Industrial Edge Device Kit - arm64 V1.20 (All versions < V1.20.2-1),… | ||
| CVE-2023-49340 | Cri | 0.64 | 9.8 | 0.01 | Mar 9, 2024 | An issue was discovered in Newland Nquire 1000 Interactive Kiosk version NQ1000-II_G_V1.00.011, allows remote attackers to escalate privileges and bypass authentication via incorrect access control in the web management portal. | ||
| CVE-2024-45367 | — | Cri | 0.59 | 9.1 | 0.01 | Oct 3, 2024 | The web server for ONS-S8 - Spectra Aggregation Switch includes an incomplete authentication process, which can lead to an attacker authenticating without a password. | |
| CVE-2024-39848 | Cri | 0.59 | 9.1 | 0.00 | Jun 29, 2024 | Internet2 Grouper before 5.6 allows authentication bypass when LDAP authentication is used in certain ways. This is related to internet2.middleware.grouper.ws.security.WsGrouperLdapAuthentication and the use of the UyY29r password for the M3vwHr account. This also affects… | ||
| CVE-2025-59249 | Hig | 0.57 | 8.8 | 0.01 | Oct 14, 2025 | Weak authentication in Microsoft Exchange Server allows an authorized attacker to elevate privileges over a network. | ||
| CVE-2025-5484 | — | Hig | 0.54 | 8.3 | 0.00 | Jun 12, 2025 | A username and password are required to authenticate to the central SinoTrack device management interface. The username for all devices is an identifier printed on the receiver. The default password is well-known and common to all devices. Modification of the default … | |
| CVE-2026-0274 | — | Hig | 0.53 | — | 0.00 | Jun 10, 2026 | An improper validation of credentials vulnerability in the CommvaultSecurityIQ integration for Cortex XSOAR and Cortex XSIAM allows an unauthenticated attacker to access and modify protected resources. | |
| CVE-2026-44237 | Hig | 0.53 | 8.1 | 0.00 | May 29, 2026 | FreePBX is an open source IP PBX. Prior to 17.0.8, the FreePBX api module's OAuth2 implementation does not sufficiently validate client credentials during token issuance. Knowledge of a valid client_id is required. The validateClient() method in ClientRepository.php… | ||
| CVE-2026-4924 | Hig | 0.53 | 8.2 | 0.00 | Apr 1, 2026 | Improper authentication in the two-factor authentication (2FA) feature in Devolutions Server 2026.1.11 and earlier allows a remote attacker with valid credentials to bypass multifactor authentication and gain unauthorized access to the victim account via reuse of a partially… | ||
| CVE-2026-4828 | Hig | 0.53 | 8.2 | 0.00 | Apr 1, 2026 | Improper authentication in the OAuth login functionality in Devolutions Server 2026.1.11 and earlier allows a remote attacker with valid credentials to bypass multi-factor authentication via a crafted login request. | ||
| CVE-2025-1727 | — | Hig | 0.53 | 8.1 | 0.01 | Jul 10, 2025 | The protocol used for remote linking over RF for End-of-Train and Head-of-Train (also known as a FRED) relies on a BCH checksum for packet creation. It is possible to create these EoT and HoT packets with a software defined radio and issue brake control commands to the EoT … | |
| CVE-2025-29994 | — | Hig | 0.53 | — | 0.00 | Mar 13, 2025 | This vulnerability exists in the CAP back office application due to improper authentication check at the API endpoint. An unauthenticated remote attacker with a valid login ID could exploit this vulnerability by manipulating API input parameters through API request URL/payload… | |
| CVE-2026-0204 | Hig | 0.52 | 8.0 | 0.00 | Apr 29, 2026 | A vulnerability in the access control mechanism of SonicOS may allow certain management interface functions to be accessible under specific conditions. | ||
| CVE-2026-40417 | Hig | 0.51 | 7.8 | 0.00 | May 12, 2026 | Weak authentication in Dynamics Business Central allows an authorized attacker to elevate privileges locally. | ||
| CVE-2025-11084 | — | Hig | 0.49 | — | 0.00 | Nov 11, 2025 | A security issue exists within DataMosaix™ Private Cloud, allowing attackers to bypass MFA during setup and obtain a valid login-token cookie without knowing the users password. This vulnerability occurs when MFA is enabled but not completed within a 7-day period. | |
| CVE-2024-47397 | Hig | 0.49 | 7.5 | 0.00 | Dec 18, 2024 | Weak authentication issue exists in AE1021 firmware versions 2.0.10 and earlier and AE1021PE firmware versions 2.0.10 and earlier. If this vulnerability is exploited, the authentication may be bypassed with an undocumented specific string. | ||
| CVE-2025-70994 | Hig | 0.47 | 7.3 | 0.00 | Apr 23, 2026 | Yadea T5 Electric Bicycles (models manufactured in/after 2024) have a weak authentication mechanism in their keyless entry system. The system utilizes the EV1527 fixed-code RF protocol without implementing rolling codes or cryptographic challenge-response mechanisms. This is… |
- risk 0.64cvss 9.8epss 0.00
Improper Authentication, Missing authentication for critical function, Weak Authentication vulnerability in DTS Electronics Industry and Trade Ltd. Co. Redline WR3200 allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Redline WR3200: from 7.1.3…
- risk 0.64cvss 9.8epss 0.00
Borg SPM 2007 (Sales Ended in 2008) developed by BorG Technology Corporation has a Authentication Bypass vulnerability, allowing unauthenticated remote attackers to log into the system as any user.
- risk 0.64cvss 9.8epss 0.00
Weak Authentication vulnerability in Quentn.com GmbH Quentn WP quentn-wp allows Privilege Escalation.This issue affects Quentn WP: from n/a through <= 1.2.8.
- risk 0.64cvss 9.8epss 0.01
A vulnerability has been identified in Industrial Edge Device Kit - arm64 V1.17 (All versions), Industrial Edge Device Kit - arm64 V1.18 (All versions), Industrial Edge Device Kit - arm64 V1.19 (All versions), Industrial Edge Device Kit - arm64 V1.20 (All versions < V1.20.2-1),…
- risk 0.64cvss 9.8epss 0.01
An issue was discovered in Newland Nquire 1000 Interactive Kiosk version NQ1000-II_G_V1.00.011, allows remote attackers to escalate privileges and bypass authentication via incorrect access control in the web management portal.
- risk 0.59cvss 9.1epss 0.01
The web server for ONS-S8 - Spectra Aggregation Switch includes an incomplete authentication process, which can lead to an attacker authenticating without a password.
- risk 0.59cvss 9.1epss 0.00
Internet2 Grouper before 5.6 allows authentication bypass when LDAP authentication is used in certain ways. This is related to internet2.middleware.grouper.ws.security.WsGrouperLdapAuthentication and the use of the UyY29r password for the M3vwHr account. This also affects…
- risk 0.57cvss 8.8epss 0.01
Weak authentication in Microsoft Exchange Server allows an authorized attacker to elevate privileges over a network.
- risk 0.54cvss 8.3epss 0.00
A username and password are required to authenticate to the central SinoTrack device management interface. The username for all devices is an identifier printed on the receiver. The default password is well-known and common to all devices. Modification of the default …
- risk 0.53cvss —epss 0.00
An improper validation of credentials vulnerability in the CommvaultSecurityIQ integration for Cortex XSOAR and Cortex XSIAM allows an unauthenticated attacker to access and modify protected resources.
- risk 0.53cvss 8.1epss 0.00
FreePBX is an open source IP PBX. Prior to 17.0.8, the FreePBX api module's OAuth2 implementation does not sufficiently validate client credentials during token issuance. Knowledge of a valid client_id is required. The validateClient() method in ClientRepository.php…
- risk 0.53cvss 8.2epss 0.00
Improper authentication in the two-factor authentication (2FA) feature in Devolutions Server 2026.1.11 and earlier allows a remote attacker with valid credentials to bypass multifactor authentication and gain unauthorized access to the victim account via reuse of a partially…
- risk 0.53cvss 8.2epss 0.00
Improper authentication in the OAuth login functionality in Devolutions Server 2026.1.11 and earlier allows a remote attacker with valid credentials to bypass multi-factor authentication via a crafted login request.
- risk 0.53cvss 8.1epss 0.01
The protocol used for remote linking over RF for End-of-Train and Head-of-Train (also known as a FRED) relies on a BCH checksum for packet creation. It is possible to create these EoT and HoT packets with a software defined radio and issue brake control commands to the EoT …
- risk 0.53cvss —epss 0.00
This vulnerability exists in the CAP back office application due to improper authentication check at the API endpoint. An unauthenticated remote attacker with a valid login ID could exploit this vulnerability by manipulating API input parameters through API request URL/payload…
- risk 0.52cvss 8.0epss 0.00
A vulnerability in the access control mechanism of SonicOS may allow certain management interface functions to be accessible under specific conditions.
- risk 0.51cvss 7.8epss 0.00
Weak authentication in Dynamics Business Central allows an authorized attacker to elevate privileges locally.
- risk 0.49cvss —epss 0.00
A security issue exists within DataMosaix™ Private Cloud, allowing attackers to bypass MFA during setup and obtain a valid login-token cookie without knowing the users password. This vulnerability occurs when MFA is enabled but not completed within a 7-day period.
- risk 0.49cvss 7.5epss 0.00
Weak authentication issue exists in AE1021 firmware versions 2.0.10 and earlier and AE1021PE firmware versions 2.0.10 and earlier. If this vulnerability is exploited, the authentication may be bypassed with an undocumented specific string.
- risk 0.47cvss 7.3epss 0.00
Yadea T5 Electric Bicycles (models manufactured in/after 2024) have a weak authentication mechanism in their keyless entry system. The system utilizes the EV1527 fixed-code RF protocol without implementing rolling codes or cryptographic challenge-response mechanisms. This is…