CWE-294
Authentication Bypass by Capture-replay
BaseIncompleteLikelihood: High
Description
A capture-replay flaw exists when the design of the product makes it possible for a malicious user to sniff network traffic and bypass authentication by replaying it to the server in question to the same effect as the original message (or with minor changes).
Capture-replay attacks are common and can be difficult to defeat without cryptography. They are a subset of network injection attacks that rely on observing previously-sent valid commands, then changing them slightly if necessary and resending the same commands to the server.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-102 · CAPEC-509 · CAPEC-555 · CAPEC-561 · CAPEC-60 · CAPEC-644 · CAPEC-645 · CAPEC-652 · CAPEC-701 · CAPEC-94
CVEs mapped to this weakness (32)
page 1 of 2| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-67135 | Cri | 0.64 | 9.8 | 0.00 | Feb 11, 2026 | Weak Security in the PF-50 1.2 keyfob of PGST PG107 Alarm System 1.25.05.hf allows attackers to compromise access control via a code replay attack. | |
| CVE-2023-47435 | Cri | 0.64 | 9.8 | 0.00 | Apr 19, 2024 | An issue in the verifyPassword function of hexo-theme-matery v2.0.0 allows attackers to bypass authentication and access password protected pages. | |
| CVE-2023-49231 | Cri | 0.64 | 9.8 | 0.01 | Mar 29, 2024 | An authentication bypass vulnerability was found in Stilog Visual Planning 8. It allows an unauthenticated attacker to receive an administrative API token. | |
| CVE-2025-6030 | Cri | 0.61 | — | 0.00 | Jun 13, 2025 | Use of fixed learning codes, one code to lock the car and the other code to unlock it, in the Key Fob Transmitter in Cyclone Matrix TRF Smart Keyless Entry System, which allows a replay attack. Research was completed on the 2024 KIA Soluto. Attack confirmed on other KIA Models in Ecuador. | |
| CVE-2025-6029 | Cri | 0.61 | — | 0.00 | Jun 13, 2025 | Use of fixed learning codes, one code to lock the car and the other code to unlock it, the Key Fob Transmitter in KIA-branded Aftermarket Generic Smart Keyless Entry System, primarily distributed in Ecuador, which allows a replay attack. Manufacture is unknown at the time of release. CVE Record will be updated once this is clarified. | |
| CVE-2021-27289 | Cri | 0.59 | 9.1 | 0.01 | Apr 15, 2025 | A replay attack vulnerability was discovered in a Zigbee smart home kit manufactured by Ksix (Zigbee Gateway Module = v1.0.3, Door Sensor = v1.0.7, Motion Sensor = v1.0.12), where the Zigbee anti-replay mechanism - based on the frame counter field - is improperly implemented. As a result, an attacker within wireless range can resend captured packets with a higher sequence number, which the devices incorrectly accept as legitimate messages. This allows spoofed commands to be injected without authentication, triggering false alerts and misleading the user through notifications in the mobile application used to monitor the network. | |
| CVE-2025-26201 | Cri | 0.59 | 9.1 | 0.01 | Feb 24, 2025 | Credential disclosure vulnerability via the /staff route in GreaterWMS <= 2.1.49 allows a remote unauthenticated attackers to bypass authentication and escalate privileges. | |
| CVE-2026-32987 | Cri | 0.57 | 9.8 | 0.00 | Mar 29, 2026 | OpenClaw before 2026.3.13 allows bootstrap setup codes to be replayed during device pairing verification in src/infra/device-bootstrap.ts. Attackers can verify a valid bootstrap code multiple times before approval to escalate pending pairing scopes, including privilege escalation to operator.admin. | |
| CVE-2024-12839 | Hig | 0.57 | 8.8 | 0.00 | Dec 31, 2024 | The login mechanism via device authentication of CGFIDO from Changing Information Technology has an Authentication Bypass vulnerability. If a user visits a forged website, the agent program deployed on their device will send an authentication signature to the website. An unauthenticated remote attacker who obtains this signature can use it to log into the system with any device. | |
| CVE-2024-46041 | Hig | 0.57 | 8.8 | 0.00 | Oct 7, 2024 | IoT Haat Smart Plug IH-IN-16A-S v5.16.1 is vulnerable to Authentication Bypass by Capture-replay. | |
| CVE-2024-43099 | Hig | 0.57 | 8.8 | 0.00 | Sep 13, 2024 | The session hijacking attack targets the application layer's control mechanism, which manages authenticated sessions between a host PC and a PLC. During such sessions, a session key is utilized to maintain security. However, if an attacker captures this session key, they can inject traffic into an ongoing authenticated session. To successfully achieve this, the attacker also needs to spoof both the IP address and MAC address of the originating host which is typical of a session-based attack. | |
| CVE-2024-38284 | Hig | 0.57 | — | 0.00 | Jun 13, 2024 | Transmitted data is logged between the device and the backend service. An attacker could use these logs to perform a replay attack to replicate calls. | |
| CVE-2026-2540 | Hig | 0.55 | — | 0.00 | Feb 15, 2026 | The Micca KE700 system contains flawed resynchronization logic and is vulnerable to replay attacks. This attack requires sending two previously captured codes in a specific sequence. As a result, the system can be forced to accept previously used (stale) rolling codes and execute a command. Successful exploitation allows an attacker to clone the alarm key. This grants the attacker unauthorized access to the vehicle to unlock or lock the doors. | |
| CVE-2025-59023 | Hig | 0.53 | 8.2 | 0.00 | Feb 9, 2026 | Crafted delegations or IP fragments can poison cached delegations in Recursor. | |
| CVE-2025-54810 | Hig | 0.52 | 8.0 | 0.00 | Sep 18, 2025 | Cognex In-Sight Explorer and In-Sight Camera Firmware expose a proprietary protocol on TCP port 1069 to perform management operations such as modifying system properties. The user management functionality handles sensitive data such as registered usernames and passwords over an unencrypted channel, allowing an adjacent attacker to intercept valid credentials to gain access to the device. | |
| CVE-2026-30080 | Hig | 0.49 | 7.5 | 0.00 | Apr 8, 2026 | OpenAirInterface v2.2.0 accepts Security Mode Complete without any integrity protection. Configuration has supported integrity NIA1 and NIA2. But if an UE sends initial registration request with only security capability IA0, OpenAirInterface accepts and proceeds. This downgrade security context can lead to the possibility of replay attack. | |
| CVE-2024-12137 | Hig | 0.49 | 7.6 | 0.00 | Mar 19, 2025 | Authentication Bypass by Capture-replay vulnerability in Elfatek Elektronics ANKA JPD-00028 allows Session Hijacking.This issue affects ANKA JPD-00028: before V.01.01. | |
| CVE-2011-20002 | Hig | 0.48 | 7.4 | 0.00 | Oct 14, 2025 | A vulnerability has been identified in SIMATIC S7-1200 CPU V1 family (incl. SIPLUS variants) (All versions < V2.0.2), SIMATIC S7-1200 CPU V2 family (incl. SIPLUS variants) (All versions < V2.0.2). Affected controllers are vulnerable to capture-replay in the communication with the engineering software. This could allow an on-path attacker between the engineering software and the controller to execute any previously recorded commands at a later time (e.g. set the controller to STOP), regardless whether or not the controller had a password configured. | |
| CVE-2025-1887 | Hig | 0.46 | — | 0.00 | Mar 7, 2025 | SMB forced authentication vulnerability in versions prior to 2025.35.000 of Sage 200 Spain. This vulnerability allows an authenticated attacker with administrator privileges to obtain NTLMv2-SSP Hash by changing any of the paths to a UNC path pointing to a server controlled by the attacker. | |
| CVE-2026-27855 | Med | 0.44 | 6.8 | 0.00 | Mar 27, 2026 | Dovecot OTP authentication is vulnerable to replay attack under specific conditions. If auth cache is enabled, and username is altered in passdb, then OTP credentials can be cached so that same OTP reply is valid. An attacker able to observe an OTP exchange is able to log in as the user. If authentication happens over unsecure connection, switch to SCRAM protocol. Alternatively ensure the communcations are secured, and if possible switch to OAUTH2 or SCRAM. No publicly available exploits are known. |