CWE-294
Authentication Bypass by Capture-replay
Description
A capture-replay flaw exists when the design of the product makes it possible for a malicious user to sniff network traffic and bypass authentication by replaying it to the server in question to the same effect as the original message (or with minor changes).
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-102 · CAPEC-509 · CAPEC-555 · CAPEC-561 · CAPEC-60 · CAPEC-644 · CAPEC-645 · CAPEC-652 · CAPEC-701 · CAPEC-94
CVEs mapped to this weakness (89)
page 1 of 5| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2017-3191 | Cri | 0.69 | 9.8 | 0.63 | Dec 16, 2017 | D-Link DIR-130 firmware version 1.23 and DIR-330 firmware version 1.12 are vulnerable to authentication bypass of the remote login page. A remote attacker that can access the remote management login page can manipulate the POST request in such a manner as to access some… | ||
| CVE-2025-67135 | Cri | 0.64 | 9.8 | 0.00 | Feb 11, 2026 | Weak Security in the PF-50 1.2 keyfob of PGST PG107 Alarm System 1.25.05.hf allows attackers to compromise access control via a code replay attack. | ||
| CVE-2023-47435 | — | Cri | 0.64 | 9.8 | 0.01 | Apr 19, 2024 | An issue in the verifyPassword function of hexo-theme-matery v2.0.0 allows attackers to bypass authentication and access password protected pages. | |
| CVE-2023-49231 | Cri | 0.64 | 9.8 | 0.43 | Mar 29, 2024 | An authentication bypass vulnerability was found in Stilog Visual Planning 8. It allows an unauthenticated attacker to receive an administrative API token. | ||
| CVE-2018-7790 | Cri | 0.64 | 9.8 | 0.02 | Aug 29, 2018 | An Information Management Error vulnerability exists in Schneider Electric's Modicon M221 product (all references, all versions prior to firmware V1.6.2.0). The vulnerability allows unauthorized users to replay authentication sequences. If an attacker exploits this vulnerability… | ||
| CVE-2017-6034 | Cri | 0.64 | 9.8 | 0.05 | Jun 30, 2017 | An authentication bypass by capture-replay issue was discovered in Schneider Electric Modicon Modbus Protocol. Sensitive information is transmitted in cleartext in the Modicon Modbus protocol, which may allow an attacker to replay the following commands: run, stop, upload, and… | ||
| CVE-2025-6030 | — | Cri | 0.61 | — | 0.00 | Jun 13, 2025 | Use of fixed learning codes, one code to lock the car and the other code to unlock it, in the Key Fob Transmitter in Cyclone Matrix TRF Smart Keyless Entry System, which allows a replay attack. Research was completed on the 2024 KIA Soluto. Attack confirmed on other KIA… | |
| CVE-2025-6029 | — | Cri | 0.61 | — | 0.01 | Jun 13, 2025 | Use of fixed learning codes, one code to lock the car and the other code to unlock it, the Key Fob Transmitter in KIA-branded Aftermarket Generic Smart Keyless Entry System, primarily distributed in Ecuador, which allows a replay attack. Manufacture is unknown at the time of… | |
| CVE-2017-6823 | Hig | 0.61 | 8.8 | 0.08 | Mar 12, 2017 | Fiyo CMS 2.0.6.1 allows remote authenticated users to gain privileges via a modified level parameter to dapur/ in an app=user&act=edit action. | ||
| CVE-2021-27289 | Cri | 0.59 | 9.1 | 0.01 | Apr 15, 2025 | A replay attack vulnerability was discovered in a Zigbee smart home kit manufactured by Ksix (Zigbee Gateway Module = v1.0.3, Door Sensor = v1.0.7, Motion Sensor = v1.0.12), where the Zigbee anti-replay mechanism - based on the frame counter field - is improperly implemented. As… | ||
| CVE-2025-26201 | Cri | 0.59 | 9.1 | 0.01 | Feb 24, 2025 | Credential disclosure vulnerability via the /staff route in GreaterWMS <= 2.1.49 allows a remote unauthenticated attackers to bypass authentication and escalate privileges. | ||
| CVE-2017-11786 | Hig | 0.58 | 8.8 | 0.09 | Oct 13, 2017 | Skype for Business in Microsoft Lync 2013 SP1 and Skype for Business 2016 allows an attacker to steal an authentication hash that can be reused elsewhere, due to how Skype for Business handles authentication requests, aka "Skype for Business Elevation of Privilege Vulnerability." | ||
| CVE-2026-44109 | Cri | 0.57 | 9.8 | 0.01 | May 6, 2026 | OpenClaw before 2026.4.15 contains an authentication bypass vulnerability in Feishu webhook and card-action validation that allows unauthenticated requests to reach command dispatch. Missing encryptKey configuration and blank callback tokens fail open instead of rejecting… | ||
| CVE-2026-32987 | Cri | 0.57 | 9.8 | 0.00 | Mar 29, 2026 | OpenClaw before 2026.3.13 allows bootstrap setup codes to be replayed during device pairing verification in src/infra/device-bootstrap.ts. Attackers can verify a valid bootstrap code multiple times before approval to escalate pending pairing scopes, including privilege… | ||
| CVE-2024-12839 | Hig | 0.57 | 8.8 | 0.01 | Dec 31, 2024 | The login mechanism via device authentication of CGFIDO from Changing Information Technology has an Authentication Bypass vulnerability. If a user visits a forged website, the agent program deployed on their device will send an authentication signature to the website. An… | ||
| CVE-2024-46041 | Hig | 0.57 | 8.8 | 0.00 | Oct 7, 2024 | IoT Haat Smart Plug IH-IN-16A-S v5.16.1 is vulnerable to Authentication Bypass by Capture-replay. | ||
| CVE-2024-43099 | — | Hig | 0.57 | 8.8 | 0.00 | Sep 13, 2024 | The session hijacking attack targets the application layer's control mechanism, which manages authenticated sessions between a host PC and a PLC. During such sessions, a session key is utilized to maintain security. However, if an attacker captures this session key, they can… | |
| CVE-2024-38284 | — | Hig | 0.57 | — | 0.00 | Jun 13, 2024 | Transmitted data is logged between the device and the backend service. An attacker could use these logs to perform a replay attack to replicate calls. | |
| CVE-2026-34021 | Hig | 0.56 | — | 0.00 | Jun 15, 2026 | The Wertheim SafeController 5400, Controller 5400 - AssemblyVersion 6.11.8130.22320, uses RS-485 communication between the server and the microcontroller without cryptographic protection. An attacker with access to the communication path between the server and the… | ||
| CVE-2026-2540 | Hig | 0.55 | — | 0.00 | Feb 15, 2026 | The Micca KE700 system contains flawed resynchronization logic and is vulnerable to replay attacks. This attack requires sending two previously captured codes in a specific sequence. As a result, the system can be forced to accept previously used (stale) rolling codes and… |
- risk 0.69cvss 9.8epss 0.63
D-Link DIR-130 firmware version 1.23 and DIR-330 firmware version 1.12 are vulnerable to authentication bypass of the remote login page. A remote attacker that can access the remote management login page can manipulate the POST request in such a manner as to access some…
- risk 0.64cvss 9.8epss 0.00
Weak Security in the PF-50 1.2 keyfob of PGST PG107 Alarm System 1.25.05.hf allows attackers to compromise access control via a code replay attack.
- risk 0.64cvss 9.8epss 0.01
An issue in the verifyPassword function of hexo-theme-matery v2.0.0 allows attackers to bypass authentication and access password protected pages.
- risk 0.64cvss 9.8epss 0.43
An authentication bypass vulnerability was found in Stilog Visual Planning 8. It allows an unauthenticated attacker to receive an administrative API token.
- risk 0.64cvss 9.8epss 0.02
An Information Management Error vulnerability exists in Schneider Electric's Modicon M221 product (all references, all versions prior to firmware V1.6.2.0). The vulnerability allows unauthorized users to replay authentication sequences. If an attacker exploits this vulnerability…
- risk 0.64cvss 9.8epss 0.05
An authentication bypass by capture-replay issue was discovered in Schneider Electric Modicon Modbus Protocol. Sensitive information is transmitted in cleartext in the Modicon Modbus protocol, which may allow an attacker to replay the following commands: run, stop, upload, and…
- risk 0.61cvss —epss 0.00
Use of fixed learning codes, one code to lock the car and the other code to unlock it, in the Key Fob Transmitter in Cyclone Matrix TRF Smart Keyless Entry System, which allows a replay attack. Research was completed on the 2024 KIA Soluto. Attack confirmed on other KIA…
- risk 0.61cvss —epss 0.01
Use of fixed learning codes, one code to lock the car and the other code to unlock it, the Key Fob Transmitter in KIA-branded Aftermarket Generic Smart Keyless Entry System, primarily distributed in Ecuador, which allows a replay attack. Manufacture is unknown at the time of…
- risk 0.61cvss 8.8epss 0.08
Fiyo CMS 2.0.6.1 allows remote authenticated users to gain privileges via a modified level parameter to dapur/ in an app=user&act=edit action.
- risk 0.59cvss 9.1epss 0.01
A replay attack vulnerability was discovered in a Zigbee smart home kit manufactured by Ksix (Zigbee Gateway Module = v1.0.3, Door Sensor = v1.0.7, Motion Sensor = v1.0.12), where the Zigbee anti-replay mechanism - based on the frame counter field - is improperly implemented. As…
- risk 0.59cvss 9.1epss 0.01
Credential disclosure vulnerability via the /staff route in GreaterWMS <= 2.1.49 allows a remote unauthenticated attackers to bypass authentication and escalate privileges.
- risk 0.58cvss 8.8epss 0.09
Skype for Business in Microsoft Lync 2013 SP1 and Skype for Business 2016 allows an attacker to steal an authentication hash that can be reused elsewhere, due to how Skype for Business handles authentication requests, aka "Skype for Business Elevation of Privilege Vulnerability."
- risk 0.57cvss 9.8epss 0.01
OpenClaw before 2026.4.15 contains an authentication bypass vulnerability in Feishu webhook and card-action validation that allows unauthenticated requests to reach command dispatch. Missing encryptKey configuration and blank callback tokens fail open instead of rejecting…
- risk 0.57cvss 9.8epss 0.00
OpenClaw before 2026.3.13 allows bootstrap setup codes to be replayed during device pairing verification in src/infra/device-bootstrap.ts. Attackers can verify a valid bootstrap code multiple times before approval to escalate pending pairing scopes, including privilege…
- risk 0.57cvss 8.8epss 0.01
The login mechanism via device authentication of CGFIDO from Changing Information Technology has an Authentication Bypass vulnerability. If a user visits a forged website, the agent program deployed on their device will send an authentication signature to the website. An…
- risk 0.57cvss 8.8epss 0.00
IoT Haat Smart Plug IH-IN-16A-S v5.16.1 is vulnerable to Authentication Bypass by Capture-replay.
- risk 0.57cvss 8.8epss 0.00
The session hijacking attack targets the application layer's control mechanism, which manages authenticated sessions between a host PC and a PLC. During such sessions, a session key is utilized to maintain security. However, if an attacker captures this session key, they can…
- risk 0.57cvss —epss 0.00
Transmitted data is logged between the device and the backend service. An attacker could use these logs to perform a replay attack to replicate calls.
- risk 0.56cvss —epss 0.00
The Wertheim SafeController 5400, Controller 5400 - AssemblyVersion 6.11.8130.22320, uses RS-485 communication between the server and the microcontroller without cryptographic protection. An attacker with access to the communication path between the server and the…
- risk 0.55cvss —epss 0.00
The Micca KE700 system contains flawed resynchronization logic and is vulnerable to replay attacks. This attack requires sending two previously captured codes in a specific sequence. As a result, the system can be forced to accept previously used (stale) rolling codes and…