VYPR

CWE-294

Authentication Bypass by Capture-replay

BaseIncompleteLikelihood: High

Description

A capture-replay flaw exists when the design of the product makes it possible for a malicious user to sniff network traffic and bypass authentication by replaying it to the server in question to the same effect as the original message (or with minor changes).

Capture-replay attacks are common and can be difficult to defeat without cryptography. They are a subset of network injection attacks that rely on observing previously-sent valid commands, then changing them slightly if necessary and resending the same commands to the server.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-102 · CAPEC-509 · CAPEC-555 · CAPEC-561 · CAPEC-60 · CAPEC-644 · CAPEC-645 · CAPEC-652 · CAPEC-701 · CAPEC-94

CVEs mapped to this weakness (89)

page 1 of 5
  • CVE-2017-3191CriDec 16, 2017
    risk 0.69cvss 9.8epss 0.63

    D-Link DIR-130 firmware version 1.23 and DIR-330 firmware version 1.12 are vulnerable to authentication bypass of the remote login page. A remote attacker that can access the remote management login page can manipulate the POST request in such a manner as to access some…

  • CVE-2025-67135CriFeb 11, 2026
    risk 0.64cvss 9.8epss 0.00

    Weak Security in the PF-50 1.2 keyfob of PGST PG107 Alarm System 1.25.05.hf allows attackers to compromise access control via a code replay attack.

  • CVE-2023-47435CriApr 19, 2024
    risk 0.64cvss 9.8epss 0.01

    An issue in the verifyPassword function of hexo-theme-matery v2.0.0 allows attackers to bypass authentication and access password protected pages.

  • CVE-2023-49231CriMar 29, 2024
    risk 0.64cvss 9.8epss 0.43

    An authentication bypass vulnerability was found in Stilog Visual Planning 8. It allows an unauthenticated attacker to receive an administrative API token.

  • CVE-2018-7790CriAug 29, 2018
    risk 0.64cvss 9.8epss 0.02

    An Information Management Error vulnerability exists in Schneider Electric's Modicon M221 product (all references, all versions prior to firmware V1.6.2.0). The vulnerability allows unauthorized users to replay authentication sequences. If an attacker exploits this vulnerability…

  • CVE-2017-6034CriJun 30, 2017
    risk 0.64cvss 9.8epss 0.05

    An authentication bypass by capture-replay issue was discovered in Schneider Electric Modicon Modbus Protocol. Sensitive information is transmitted in cleartext in the Modicon Modbus protocol, which may allow an attacker to replay the following commands: run, stop, upload, and…

  • CVE-2025-6030CriJun 13, 2025
    risk 0.61cvss epss 0.00

    Use of fixed learning codes, one code to lock the car and the other code to unlock it, in the Key Fob Transmitter in Cyclone Matrix TRF Smart Keyless Entry System, which allows a replay attack. Research was completed on the 2024 KIA Soluto.  Attack confirmed on other KIA…

  • CVE-2025-6029CriJun 13, 2025
    risk 0.61cvss epss 0.01

    Use of fixed learning codes, one code to lock the car and the other code to unlock it, the Key Fob Transmitter in KIA-branded Aftermarket Generic Smart Keyless Entry System, primarily distributed in Ecuador, which allows a replay attack. Manufacture is unknown at the time of…

  • CVE-2017-6823HigMar 12, 2017
    risk 0.61cvss 8.8epss 0.08

    Fiyo CMS 2.0.6.1 allows remote authenticated users to gain privileges via a modified level parameter to dapur/ in an app=user&act=edit action.

  • CVE-2021-27289CriApr 15, 2025
    risk 0.59cvss 9.1epss 0.01

    A replay attack vulnerability was discovered in a Zigbee smart home kit manufactured by Ksix (Zigbee Gateway Module = v1.0.3, Door Sensor = v1.0.7, Motion Sensor = v1.0.12), where the Zigbee anti-replay mechanism - based on the frame counter field - is improperly implemented. As…

  • CVE-2025-26201CriFeb 24, 2025
    risk 0.59cvss 9.1epss 0.01

    Credential disclosure vulnerability via the /staff route in GreaterWMS <= 2.1.49 allows a remote unauthenticated attackers to bypass authentication and escalate privileges.

  • CVE-2017-11786HigOct 13, 2017
    risk 0.58cvss 8.8epss 0.09

    Skype for Business in Microsoft Lync 2013 SP1 and Skype for Business 2016 allows an attacker to steal an authentication hash that can be reused elsewhere, due to how Skype for Business handles authentication requests, aka "Skype for Business Elevation of Privilege Vulnerability."

  • CVE-2026-44109CriMay 6, 2026
    risk 0.57cvss 9.8epss 0.01

    OpenClaw before 2026.4.15 contains an authentication bypass vulnerability in Feishu webhook and card-action validation that allows unauthenticated requests to reach command dispatch. Missing encryptKey configuration and blank callback tokens fail open instead of rejecting…

  • CVE-2026-32987CriMar 29, 2026
    risk 0.57cvss 9.8epss 0.00

    OpenClaw before 2026.3.13 allows bootstrap setup codes to be replayed during device pairing verification in src/infra/device-bootstrap.ts. Attackers can verify a valid bootstrap code multiple times before approval to escalate pending pairing scopes, including privilege…

  • CVE-2024-12839HigDec 31, 2024
    risk 0.57cvss 8.8epss 0.01

    The login mechanism via device authentication of CGFIDO from Changing Information Technology has an Authentication Bypass vulnerability. If a user visits a forged website, the agent program deployed on their device will send an authentication signature to the website. An…

  • CVE-2024-46041HigOct 7, 2024
    risk 0.57cvss 8.8epss 0.00

    IoT Haat Smart Plug IH-IN-16A-S v5.16.1 is vulnerable to Authentication Bypass by Capture-replay.

  • CVE-2024-43099HigSep 13, 2024
    risk 0.57cvss 8.8epss 0.00

    The session hijacking attack targets the application layer's control mechanism, which manages authenticated sessions between a host PC and a PLC. During such sessions, a session key is utilized to maintain security. However, if an attacker captures this session key, they can…

  • CVE-2024-38284HigJun 13, 2024
    risk 0.57cvss epss 0.00

    Transmitted data is logged between the device and the backend service. An attacker could use these logs to perform a replay attack to replicate calls.

  • CVE-2026-34021HigJun 15, 2026
    risk 0.56cvss epss 0.00

    The Wertheim SafeController 5400, Controller 5400 - AssemblyVersion 6.11.8130.22320, uses RS-485 communication between the server and the microcontroller without cryptographic protection. An attacker with access to the communication path between the server and the…

  • CVE-2026-2540HigFeb 15, 2026
    risk 0.55cvss epss 0.00

    The Micca KE700 system contains flawed resynchronization logic and is vulnerable to replay attacks. This attack requires sending two previously captured codes in a specific sequence. As a result, the system can be forced to accept previously used (stale) rolling codes and…