CWE-287
Improper Authentication
Description
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-114 · CAPEC-115 · CAPEC-151 · CAPEC-194 · CAPEC-22 · CAPEC-57 · CAPEC-593 · CAPEC-633 · CAPEC-650 · CAPEC-94
CVEs mapped to this weakness (2,419)
page 17 of 121| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2015-7938 | Cri | 0.64 | 9.8 | 0.04 | Jan 9, 2016 | Advantech EKI-132x devices with firmware before 2015-12-31 allow remote attackers to bypass authentication via unspecified vectors. | ||
| CVE-2012-6437 | Cri | 0.64 | 9.8 | 0.10 | Jan 24, 2013 | The device does not properly authenticate users and the potential exists for a remote user to upload a new firmware image to the Ethernet card, whether it is a corrupt or legitimate firmware image. Successful exploitation of this vulnerability could cause loss of availability,… | ||
| CVE-2012-0931 | Cri | 0.64 | 9.8 | 0.05 | Jan 28, 2012 | Schneider Electric Modicon Quantum PLC does not perform authentication between the Unity software and PLC, which allows remote attackers to cause a denial of service or possibly execute arbitrary code via unspecified vectors. | ||
| CVE-2010-4478 | Cri | 0.64 | 9.8 | 0.04 | Dec 6, 2010 | OpenSSH 5.6 and earlier, when J-PAKE is enabled, does not properly validate the public parameters in the J-PAKE protocol, which allows remote attackers to bypass the need for knowledge of the shared secret, and successfully authenticate, by sending crafted values in each round… | ||
| CVE-2009-2422 | Cri | 0.64 | 9.8 | 0.03 | Jul 10, 2009 | The example code for the digest authentication functionality (http_authentication.rb) in Ruby on Rails before 2.3.3 defines an authenticate_or_request_with_http_digest block that returns nil instead of false when the user does not exist, which allows context-dependent attackers… | ||
| CVE-2007-4043 | Cri | 0.64 | 9.8 | 0.02 | Jul 27, 2007 | file.cgi in Secure Computing SecurityReporter (aka Network Security Analyzer) before 4.6.3 allows remote attackers to bypass authentication via a name parameter ending with a "%00.gif" sequence. NOTE: a separate traversal vulnerability could be leveraged to download arbitrary… | ||
| CVE-2024-22245 | Cri | 0.63 | 9.6 | 0.01 | Feb 20, 2024 | Arbitrary Authentication Relay and Session Hijack vulnerabilities in the deprecated VMware Enhanced Authentication Plug-in (EAP) could allow a malicious actor that could trick a target domain user with EAP installed in their web browser into requesting and relaying service… | ||
| CVE-2026-1568 | Cri | 0.62 | 9.6 | 0.00 | Feb 3, 2026 | Rapid7 InsightVM versions before 8.34.0 contain a signature verification issue on the Assertion Consumer Service (ACS) cloud endpoint that could allow an attacker to gain unauthorized access to InsightVM accounts setup via "Security Console" installations, resulting in full… | ||
| CVE-2025-62376 | Cri | 0.62 | — | 0.01 | Oct 14, 2025 | pwn.college DOJO is an education platform for learning cybersecurity. Prior to commit 467db0b9ea0d9a929dc89b41f6eb59f7cfc68bef, the /workspace endpoint contains an improper authentication vulnerability that allows an attacker to access any active Windows VM without proper… | ||
| CVE-2025-3621 | Cri | 0.62 | 9.6 | 0.01 | Jul 15, 2025 | Vulnerabilities* in ActADUR local server product, developed and maintained by ProTNS, allows Remote Code Inclusion on host systems. * vulnerabilities: * Improper Neutralization of Special Elements used in a Command ('Command Injection') * Use of Hard-coded… | ||
| CVE-2024-45347 | Cri | 0.62 | 9.6 | 0.00 | Jun 23, 2025 | An unauthorized access vulnerability exists in the Xiaomi Mi Connect Service APP. The vulnerability is caused by the validation logic is flawed and can be exploited by attackers to Unauthorized access to the victim’s device. | ||
| CVE-2025-23116 | Cri | 0.62 | 9.6 | 0.01 | Mar 1, 2025 | An Authentication Bypass vulnerability on UniFi Protect Application with Auto-Adopt Bridge Devices enabled could allow a malicious actor with access to UniFi Protect Cameras adjacent network to take control of UniFi Protect Cameras. | ||
| CVE-2018-7750 | — | Cri | 0.62 | 9.8 | 0.27 | Mar 13, 2018 | transport.py in the SSH server implementation of Paramiko before 1.17.6, 1.18.x before 1.18.5, 2.0.x before 2.0.8, 2.1.x before 2.1.5, 2.2.x before 2.2.3, 2.3.x before 2.3.2, and 2.4.x before 2.4.1 does not properly check whether authentication is completed before processing… | |
| CVE-2025-3659 | Cri | 0.61 | — | 0.00 | May 12, 2025 | Improper authentication handling was identified in a set of HTTP POST requests affecting the following product families: * Digi PortServer TS - prior to and including 82000747_AA, build date 06/17/2022 * Digi One SP/Digi One SP IA/Digi One IA - prior to and including… | ||
| CVE-2024-43240 | Cri | 0.61 | 9.4 | 0.01 | Aug 19, 2024 | Improper Authentication vulnerability in azzaroco Ultimate Membership Pro indeed-membership-pro.This issue affects Ultimate Membership Pro: from n/a through <= 12.7. | ||
| CVE-2024-7395 | Cri | 0.61 | — | 0.01 | Aug 5, 2024 | An authentication bypass vulnerability in Korenix JetPort 5601v3 allows an attacker to access functionality on the device without specifying a password.This issue affects JetPort 5601v3: through 1.2. | ||
| CVE-2021-43116 | — | Hig | 0.61 | 8.8 | 0.07 | Jul 5, 2022 | An Access Control vulnerability exists in Nacos 2.0.3 in the access prompt page; enter username and password, click on login to capture packets and then change the returned package, which lets a malicious user login. | |
| CVE-2018-14786 | Cri | 0.61 | 9.4 | 0.03 | Aug 23, 2018 | Becton, Dickinson and Company (BD) Alaris Plus medical syringe pumps (models Alaris GS, Alaris GH, Alaris CC, and Alaris TIVA) versions 2.3.6 and prior are affected by an improper authentication vulnerability where the software does not perform authentication for functionality… | ||
| CVE-2017-14000 | Cri | 0.61 | 9.4 | 0.02 | Oct 5, 2017 | An Improper Authentication issue was discovered in Ctek SkyRouter Series 4200 and 4400, all versions prior to V6.00.11. By accessing a specific uniform resource locator (URL) on the web server, a malicious user is able to access the application without authenticating. | ||
| CVE-2017-9630 | Cri | 0.61 | 9.4 | 0.01 | Aug 7, 2017 | An Improper Authentication issue was discovered in PDQ Manufacturing LaserWash G5 and G5 S Series all versions, LaserWash M5, all versions, LaserWash 360 and 360 Plus, all versions, LaserWash AutoXpress and AutoExpress Plus, all versions, LaserJet, all versions, ProTouch Tandem,… |
- risk 0.64cvss 9.8epss 0.04
Advantech EKI-132x devices with firmware before 2015-12-31 allow remote attackers to bypass authentication via unspecified vectors.
- risk 0.64cvss 9.8epss 0.10
The device does not properly authenticate users and the potential exists for a remote user to upload a new firmware image to the Ethernet card, whether it is a corrupt or legitimate firmware image. Successful exploitation of this vulnerability could cause loss of availability,…
- risk 0.64cvss 9.8epss 0.05
Schneider Electric Modicon Quantum PLC does not perform authentication between the Unity software and PLC, which allows remote attackers to cause a denial of service or possibly execute arbitrary code via unspecified vectors.
- risk 0.64cvss 9.8epss 0.04
OpenSSH 5.6 and earlier, when J-PAKE is enabled, does not properly validate the public parameters in the J-PAKE protocol, which allows remote attackers to bypass the need for knowledge of the shared secret, and successfully authenticate, by sending crafted values in each round…
- risk 0.64cvss 9.8epss 0.03
The example code for the digest authentication functionality (http_authentication.rb) in Ruby on Rails before 2.3.3 defines an authenticate_or_request_with_http_digest block that returns nil instead of false when the user does not exist, which allows context-dependent attackers…
- risk 0.64cvss 9.8epss 0.02
file.cgi in Secure Computing SecurityReporter (aka Network Security Analyzer) before 4.6.3 allows remote attackers to bypass authentication via a name parameter ending with a "%00.gif" sequence. NOTE: a separate traversal vulnerability could be leveraged to download arbitrary…
- risk 0.63cvss 9.6epss 0.01
Arbitrary Authentication Relay and Session Hijack vulnerabilities in the deprecated VMware Enhanced Authentication Plug-in (EAP) could allow a malicious actor that could trick a target domain user with EAP installed in their web browser into requesting and relaying service…
- risk 0.62cvss 9.6epss 0.00
Rapid7 InsightVM versions before 8.34.0 contain a signature verification issue on the Assertion Consumer Service (ACS) cloud endpoint that could allow an attacker to gain unauthorized access to InsightVM accounts setup via "Security Console" installations, resulting in full…
- risk 0.62cvss —epss 0.01
pwn.college DOJO is an education platform for learning cybersecurity. Prior to commit 467db0b9ea0d9a929dc89b41f6eb59f7cfc68bef, the /workspace endpoint contains an improper authentication vulnerability that allows an attacker to access any active Windows VM without proper…
- risk 0.62cvss 9.6epss 0.01
Vulnerabilities* in ActADUR local server product, developed and maintained by ProTNS, allows Remote Code Inclusion on host systems. * vulnerabilities: * Improper Neutralization of Special Elements used in a Command ('Command Injection') * Use of Hard-coded…
- risk 0.62cvss 9.6epss 0.00
An unauthorized access vulnerability exists in the Xiaomi Mi Connect Service APP. The vulnerability is caused by the validation logic is flawed and can be exploited by attackers to Unauthorized access to the victim’s device.
- risk 0.62cvss 9.6epss 0.01
An Authentication Bypass vulnerability on UniFi Protect Application with Auto-Adopt Bridge Devices enabled could allow a malicious actor with access to UniFi Protect Cameras adjacent network to take control of UniFi Protect Cameras.
- risk 0.62cvss 9.8epss 0.27
transport.py in the SSH server implementation of Paramiko before 1.17.6, 1.18.x before 1.18.5, 2.0.x before 2.0.8, 2.1.x before 2.1.5, 2.2.x before 2.2.3, 2.3.x before 2.3.2, and 2.4.x before 2.4.1 does not properly check whether authentication is completed before processing…
- risk 0.61cvss —epss 0.00
Improper authentication handling was identified in a set of HTTP POST requests affecting the following product families: * Digi PortServer TS - prior to and including 82000747_AA, build date 06/17/2022 * Digi One SP/Digi One SP IA/Digi One IA - prior to and including…
- risk 0.61cvss 9.4epss 0.01
Improper Authentication vulnerability in azzaroco Ultimate Membership Pro indeed-membership-pro.This issue affects Ultimate Membership Pro: from n/a through <= 12.7.
- risk 0.61cvss —epss 0.01
An authentication bypass vulnerability in Korenix JetPort 5601v3 allows an attacker to access functionality on the device without specifying a password.This issue affects JetPort 5601v3: through 1.2.
- risk 0.61cvss 8.8epss 0.07
An Access Control vulnerability exists in Nacos 2.0.3 in the access prompt page; enter username and password, click on login to capture packets and then change the returned package, which lets a malicious user login.
- risk 0.61cvss 9.4epss 0.03
Becton, Dickinson and Company (BD) Alaris Plus medical syringe pumps (models Alaris GS, Alaris GH, Alaris CC, and Alaris TIVA) versions 2.3.6 and prior are affected by an improper authentication vulnerability where the software does not perform authentication for functionality…
- risk 0.61cvss 9.4epss 0.02
An Improper Authentication issue was discovered in Ctek SkyRouter Series 4200 and 4400, all versions prior to V6.00.11. By accessing a specific uniform resource locator (URL) on the web server, a malicious user is able to access the application without authenticating.
- risk 0.61cvss 9.4epss 0.01
An Improper Authentication issue was discovered in PDQ Manufacturing LaserWash G5 and G5 S Series all versions, LaserWash M5, all versions, LaserWash 360 and 360 Plus, all versions, LaserWash AutoXpress and AutoExpress Plus, all versions, LaserJet, all versions, ProTouch Tandem,…