CWE-287
Improper Authentication
Description
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-114 · CAPEC-115 · CAPEC-151 · CAPEC-194 · CAPEC-22 · CAPEC-57 · CAPEC-593 · CAPEC-633 · CAPEC-650 · CAPEC-94
CVEs mapped to this weakness (2,419)
page 6 of 121| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-12374 | Cri | 0.64 | 9.8 | 0.00 | Dec 5, 2025 | The Email Verification, Email OTP, Block Spam Email, Passwordless login, Hide Login, Magic Login – User Verification plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 2.0.44. This is due to the plugin not properly validating that… | ||
| CVE-2025-56447 | Cri | 0.64 | 9.8 | 0.00 | Oct 22, 2025 | TM2 Monitoring v3.04 contains an authentication bypass and plaintext credential disclosure. | ||
| CVE-2025-60772 | Cri | 0.64 | 9.8 | 0.01 | Oct 21, 2025 | Improper authentication in the web-based management interface of NETLINK HG322G V1.0.00-231017, allows a remote unauthenticated attacker to escalate privileges and lock out the legitimate administrator via crafted HTTP requests. | ||
| CVE-2025-34186 | Cri | 0.64 | 9.8 | 0.01 | Sep 16, 2025 | Ilevia EVE X1/X5 Server version ≤ 4.7.18.0.eden contains a vulnerability in its authentication mechanism. Unsanitized input is passed to a system() call for authentication, allowing attackers to inject special characters and manipulate command parsing. Because the binary… | ||
| CVE-2025-9994 | Cri | 0.64 | 9.8 | 0.01 | Sep 9, 2025 | The Amp’ed RF BT-AP 111 Bluetooth access point's HTTP admin interface does not have an authentication feature, allowing unauthorized access to anyone with network access. | ||
| CVE-2024-52786 | Cri | 0.64 | 9.8 | 0.01 | Aug 22, 2025 | An authentication bypass vulnerability in anji-plus AJ-Report up to v1.4.2 allows unauthenticated attackers to execute arbitrary code via a crafted URL. | ||
| CVE-2024-50645 | Cri | 0.64 | 9.8 | 0.01 | Aug 22, 2025 | MallChat v1.0-SNAPSHOT has an authentication bypass vulnerability. An attacker can exploit this vulnerability to access API without any token. | ||
| CVE-2024-50644 | Cri | 0.64 | 9.8 | 0.00 | Aug 22, 2025 | zhisheng17 blog 3.0.1-SNAPSHOT has an authentication bypass vulnerability. An attacker can exploit this vulnerability to access API without any token. | ||
| CVE-2025-52395 | — | Cri | 0.64 | 9.8 | 0.01 | Aug 21, 2025 | An issue in Roadcute API v.1 allows a remote attacker to execute arbitrary code via the application exposing a password reset API endpoint that fails to validate the identity of the requester properly | |
| CVE-2024-50640 | Cri | 0.64 | 9.8 | 0.00 | Aug 20, 2025 | jeewx-boot 1.3 has an authentication bypass vulnerability in the preHandle function | ||
| CVE-2025-52376 | Cri | 0.64 | 9.8 | 0.09 | Jul 15, 2025 | An authentication bypass vulnerability in the /web/um_open_telnet.cgi endpoint in Nexxt Solutions NCM-X1800 Mesh Router firmware UV1.2.7 and below, allowing an attacker to remotely enable the Telnet service without authentication, bypassing security controls. The Telnet server… | ||
| CVE-2025-7574 | Cri | 0.64 | 9.8 | 0.01 | Jul 14, 2025 | A vulnerability, which was classified as critical, was found in LB-LINK BL-AC1900, BL-AC2100_AZ3, BL-AC3600, BL-AX1800, BL-AX5400P and BL-WR9000 up to 20250702. Affected is the function reboot/restore of the file /cgi-bin/lighttpd.cgi of the component Web Interface. The… | ||
| CVE-2025-6172 | — | Cri | 0.64 | 9.8 | 0.00 | Jun 16, 2025 | Permission vulnerability in the mobile application (com.afmobi.boomplayer) may lead to the risk of unauthorized operation. | |
| CVE-2025-30430 | Cri | 0.64 | 9.8 | 0.01 | Mar 31, 2025 | This issue was addressed through improved state management. This issue is fixed in iOS 18.4 and iPadOS 18.4, macOS Sequoia 15.4, visionOS 2.4, watchOS 11.4. Password autofill may fill in passwords after failing authentication. | ||
| CVE-2024-13804 | Cri | 0.64 | 9.8 | 0.00 | Mar 30, 2025 | Unauthenticated RCE in HPE Insight Cluster Management Utility | ||
| CVE-2024-56336 | Cri | 0.64 | 9.8 | 0.01 | Mar 11, 2025 | A vulnerability has been identified in SINAMICS S200 (All versions with serial number beginning with SZVS8, SZVS9, SZVS0 or SZVSN and the FS number is 02). The affected device contains an unlocked bootloader. This security oversight enables attackers to inject malicious code, or… | ||
| CVE-2025-0637 | Cri | 0.64 | 9.8 | 0.00 | Jan 23, 2025 | It has been found that the Beta10 software does not provide for proper authorisation control in multiple areas of the application. This deficiency could allow a malicious actor, without authentication, to access private areas and/or areas intended for other roles. The… | ||
| CVE-2025-0070 | Cri | 0.64 | 9.9 | 0.01 | Jan 14, 2025 | SAP NetWeaver Application Server for ABAP and ABAP Platform allows an authenticated attacker to obtain illegitimate access to the system by exploiting improper authentication checks, resulting in privilege escalation. On successful exploitation, this can result in potential… | ||
| CVE-2024-12264 | Cri | 0.64 | 9.8 | 0.01 | Jan 7, 2025 | The PayU CommercePro Plugin plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 3.8.3. This is due to /wp-json/payu/v1/generate-user-token and /wp-json/payu/v1/get-shipping-cost REST API endpoints not properly verifying a user's… | ||
| CVE-2024-1610 | Cri | 0.64 | 9.8 | 0.01 | Dec 18, 2024 | In OPPO Store APP, there's a possible escalation of privilege due to improper input validation. |
- risk 0.64cvss 9.8epss 0.00
The Email Verification, Email OTP, Block Spam Email, Passwordless login, Hide Login, Magic Login – User Verification plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 2.0.44. This is due to the plugin not properly validating that…
- risk 0.64cvss 9.8epss 0.00
TM2 Monitoring v3.04 contains an authentication bypass and plaintext credential disclosure.
- risk 0.64cvss 9.8epss 0.01
Improper authentication in the web-based management interface of NETLINK HG322G V1.0.00-231017, allows a remote unauthenticated attacker to escalate privileges and lock out the legitimate administrator via crafted HTTP requests.
- risk 0.64cvss 9.8epss 0.01
Ilevia EVE X1/X5 Server version ≤ 4.7.18.0.eden contains a vulnerability in its authentication mechanism. Unsanitized input is passed to a system() call for authentication, allowing attackers to inject special characters and manipulate command parsing. Because the binary…
- risk 0.64cvss 9.8epss 0.01
The Amp’ed RF BT-AP 111 Bluetooth access point's HTTP admin interface does not have an authentication feature, allowing unauthorized access to anyone with network access.
- risk 0.64cvss 9.8epss 0.01
An authentication bypass vulnerability in anji-plus AJ-Report up to v1.4.2 allows unauthenticated attackers to execute arbitrary code via a crafted URL.
- risk 0.64cvss 9.8epss 0.01
MallChat v1.0-SNAPSHOT has an authentication bypass vulnerability. An attacker can exploit this vulnerability to access API without any token.
- risk 0.64cvss 9.8epss 0.00
zhisheng17 blog 3.0.1-SNAPSHOT has an authentication bypass vulnerability. An attacker can exploit this vulnerability to access API without any token.
- risk 0.64cvss 9.8epss 0.01
An issue in Roadcute API v.1 allows a remote attacker to execute arbitrary code via the application exposing a password reset API endpoint that fails to validate the identity of the requester properly
- risk 0.64cvss 9.8epss 0.00
jeewx-boot 1.3 has an authentication bypass vulnerability in the preHandle function
- risk 0.64cvss 9.8epss 0.09
An authentication bypass vulnerability in the /web/um_open_telnet.cgi endpoint in Nexxt Solutions NCM-X1800 Mesh Router firmware UV1.2.7 and below, allowing an attacker to remotely enable the Telnet service without authentication, bypassing security controls. The Telnet server…
- risk 0.64cvss 9.8epss 0.01
A vulnerability, which was classified as critical, was found in LB-LINK BL-AC1900, BL-AC2100_AZ3, BL-AC3600, BL-AX1800, BL-AX5400P and BL-WR9000 up to 20250702. Affected is the function reboot/restore of the file /cgi-bin/lighttpd.cgi of the component Web Interface. The…
- risk 0.64cvss 9.8epss 0.00
Permission vulnerability in the mobile application (com.afmobi.boomplayer) may lead to the risk of unauthorized operation.
- risk 0.64cvss 9.8epss 0.01
This issue was addressed through improved state management. This issue is fixed in iOS 18.4 and iPadOS 18.4, macOS Sequoia 15.4, visionOS 2.4, watchOS 11.4. Password autofill may fill in passwords after failing authentication.
- risk 0.64cvss 9.8epss 0.00
Unauthenticated RCE in HPE Insight Cluster Management Utility
- risk 0.64cvss 9.8epss 0.01
A vulnerability has been identified in SINAMICS S200 (All versions with serial number beginning with SZVS8, SZVS9, SZVS0 or SZVSN and the FS number is 02). The affected device contains an unlocked bootloader. This security oversight enables attackers to inject malicious code, or…
- risk 0.64cvss 9.8epss 0.00
It has been found that the Beta10 software does not provide for proper authorisation control in multiple areas of the application. This deficiency could allow a malicious actor, without authentication, to access private areas and/or areas intended for other roles. The…
- risk 0.64cvss 9.9epss 0.01
SAP NetWeaver Application Server for ABAP and ABAP Platform allows an authenticated attacker to obtain illegitimate access to the system by exploiting improper authentication checks, resulting in privilege escalation. On successful exploitation, this can result in potential…
- risk 0.64cvss 9.8epss 0.01
The PayU CommercePro Plugin plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 3.8.3. This is due to /wp-json/payu/v1/generate-user-token and /wp-json/payu/v1/get-shipping-cost REST API endpoints not properly verifying a user's…
- risk 0.64cvss 9.8epss 0.01
In OPPO Store APP, there's a possible escalation of privilege due to improper input validation.