CWE-294
Authentication Bypass by Capture-replay
Description
A capture-replay flaw exists when the design of the product makes it possible for a malicious user to sniff network traffic and bypass authentication by replaying it to the server in question to the same effect as the original message (or with minor changes).
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-102 · CAPEC-509 · CAPEC-555 · CAPEC-561 · CAPEC-60 · CAPEC-644 · CAPEC-645 · CAPEC-652 · CAPEC-701 · CAPEC-94
CVEs mapped to this weakness (89)
page 2 of 5| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-13777 | Hig | 0.54 | 8.3 | 0.00 | Mar 13, 2026 | Authentication bypass by capture-replay vulnerability in ABB AWIN GW100 rev.2, ABB AWIN GW120.This issue affects AWIN GW100 rev.2: 2.0-0, 2.0-1; AWIN GW120: 1.2-0, 1.2-1. | ||
| CVE-2026-9095 | Hig | 0.53 | 8.1 | 0.00 | May 28, 2026 | Casdoor versions 2.362.0 and earlier map SAML assertions to user sessions without replay protection. The ParseSamlResponse() function in object/saml_sp.go calls sp.RetrieveAssertionInfo() and immediately maps the result to a user session. There is no assertion ID cache,… | ||
| CVE-2025-59023 | Hig | 0.53 | 8.2 | 0.00 | Feb 9, 2026 | Crafted delegations or IP fragments can poison cached delegations in Recursor. | ||
| CVE-2019-13533 | Hig | 0.53 | 8.1 | 0.01 | Dec 16, 2019 | In Omron PLC CJ series, all versions, and Omron PLC CS series, all versions, an attacker could monitor traffic between the PLC and the controller and replay requests that could result in the opening and closing of industrial valves. | ||
| CVE-2017-5251 | Hig | 0.53 | 8.1 | 0.01 | Feb 22, 2018 | In version 1012 and prior of Insteon's Insteon Hub, the radio transmissions used for communication between the hub and connected devices are not encrypted. | ||
| CVE-2025-54810 | Hig | 0.52 | 8.0 | 0.00 | Sep 18, 2025 | Cognex In-Sight Explorer and In-Sight Camera Firmware expose a proprietary protocol on TCP port 1069 to perform management operations such as modifying system properties. The user management functionality handles sensitive data such as registered usernames and passwords over… | ||
| CVE-2026-30080 | Hig | 0.49 | 7.5 | 0.00 | Apr 8, 2026 | OpenAirInterface v2.2.0 accepts Security Mode Complete without any integrity protection. Configuration has supported integrity NIA1 and NIA2. But if an UE sends initial registration request with only security capability IA0, OpenAirInterface accepts and proceeds. This downgrade… | ||
| CVE-2024-12137 | Hig | 0.49 | 7.6 | 0.00 | Mar 19, 2025 | Authentication Bypass by Capture-replay vulnerability in Elfatek Elektronics ANKA JPD-00028 allows Session Hijacking. This issue affects ANKA JPD-00028: before V.01.01. | ||
| CVE-2022-33971 | Hig | 0.49 | 7.5 | 0.01 | Jul 4, 2022 | Authentication bypass by capture-replay vulnerability exists in Machine automation controller NX7 series all models V1.28 and earlier, Machine automation controller NX1 series all models V1.48 and earlier, and Machine automation controller NJ series all models V 1.48 and… | ||
| CVE-2018-17176 | Hig | 0.49 | 7.5 | 0.01 | Sep 18, 2018 | A replay issue was discovered on Neato Botvac Connected 2.2.0 devices. Manual control mode requires authentication, but once recorded, the authentication (always transmitted in cleartext) can be replayed to /bin/webserver on port 8081. There are no nonces, and timestamps are not… | ||
| CVE-2011-20002 | Hig | 0.48 | 7.4 | 0.00 | Oct 14, 2025 | A vulnerability has been identified in SIMATIC S7-1200 CPU V1 family (incl. SIPLUS variants) (All versions < V2.0.2), SIMATIC S7-1200 CPU V2 family (incl. SIPLUS variants) (All versions < V2.0.2). Affected controllers are vulnerable to capture-replay in the communication with… | ||
| CVE-2026-42602 | Hig | 0.46 | 8.1 | 0.00 | May 13, 2026 | azureauthextension is the Azure Authenticator Extension. From 0.124.0 to 0.150.0, a server-side authentication bypass in azureauthextension allows any party who holds a single valid Azure access token for any scope the collector's configured identity can mint for to authenticate… | ||
| CVE-2025-1887 | Hig | 0.46 | — | 0.00 | Mar 7, 2025 | SMB forced authentication vulnerability in versions prior to 2025.35.000 of Sage 200 Spain. This vulnerability allows an authenticated attacker with administrator privileges to obtain NTLMv2-SSP Hash by changing any of the paths to a UNC path pointing to a server controlled by… | ||
| CVE-2024-37016 | Med | 0.44 | 6.8 | 0.00 | Jul 15, 2024 | Mengshen Wireless Door Alarm M70 2024-05-24 allows Authentication Bypass via a Capture-Replay approach. | ||
| CVE-2020-13799 | Med | 0.44 | 6.8 | 0.00 | Nov 18, 2020 | Western Digital has identified a security vulnerability in the Replay Protected Memory Block (RPMB) protocol as specified in multiple standards for storage device interfaces, including all versions of eMMC, UFS, and NVMe. The RPMB protocol is specified by industry standards… | ||
| CVE-2026-41395 | Hig | 0.42 | 7.5 | 0.00 | Apr 28, 2026 | OpenClaw before 2026.3.28 contains a webhook replay vulnerability in Plivo V3 signature verification that canonicalizes query ordering for signatures but hashes raw URLs for replay detection. Attackers can reorder query parameters to bypass replay cache detection and trigger… | ||
| CVE-2026-34209 | Hig | 0.42 | 7.5 | 0.00 | Mar 31, 2026 | mppx is a TypeScript interface for machine payments protocol. Prior to version 0.4.11, the tempo/session cooperative close handler validated the close voucher amount using "<" instead of "<=" against the on-chain settled amount. An attacker could submit a close voucher exactly… | ||
| CVE-2022-37418 | Med | 0.42 | 6.4 | 0.01 | Aug 24, 2022 | The Remote Keyless Entry (RKE) receiving unit on certain Nissan, Kia, and Hyundai vehicles through 2017 allows remote attackers to perform unlock operations and force a resynchronization after capturing two consecutive valid key fob signals over the radio, aka a RollBack attack.… | ||
| CVE-2025-8616 | Med | 0.40 | — | 0.00 | Aug 6, 2025 | A weakness identified in OpenText Advanced Authentication where a Malicious browser plugin can record and replay the user authentication process to bypass Authentication. This issue affects Advanced Authentication on or before 6.5.0. | ||
| CVE-2026-54783 | hig | 0.38 | — | — | Jun 19, 2026 | ### Impact The attacker, with one captured signed SOAP envelope from a victim and no other privileges, can invoke arbitrary operations on the service as the victim principal for the lifetime of the captured signing key. There is no rate limit on replays. The DetectReplays… |
- risk 0.54cvss 8.3epss 0.00
Authentication bypass by capture-replay vulnerability in ABB AWIN GW100 rev.2, ABB AWIN GW120.This issue affects AWIN GW100 rev.2: 2.0-0, 2.0-1; AWIN GW120: 1.2-0, 1.2-1.
- risk 0.53cvss 8.1epss 0.00
Casdoor versions 2.362.0 and earlier map SAML assertions to user sessions without replay protection. The ParseSamlResponse() function in object/saml_sp.go calls sp.RetrieveAssertionInfo() and immediately maps the result to a user session. There is no assertion ID cache,…
- risk 0.53cvss 8.2epss 0.00
Crafted delegations or IP fragments can poison cached delegations in Recursor.
- risk 0.53cvss 8.1epss 0.01
In Omron PLC CJ series, all versions, and Omron PLC CS series, all versions, an attacker could monitor traffic between the PLC and the controller and replay requests that could result in the opening and closing of industrial valves.
- risk 0.53cvss 8.1epss 0.01
In version 1012 and prior of Insteon's Insteon Hub, the radio transmissions used for communication between the hub and connected devices are not encrypted.
- risk 0.52cvss 8.0epss 0.00
Cognex In-Sight Explorer and In-Sight Camera Firmware expose a proprietary protocol on TCP port 1069 to perform management operations such as modifying system properties. The user management functionality handles sensitive data such as registered usernames and passwords over…
- risk 0.49cvss 7.5epss 0.00
OpenAirInterface v2.2.0 accepts Security Mode Complete without any integrity protection. Configuration has supported integrity NIA1 and NIA2. But if an UE sends initial registration request with only security capability IA0, OpenAirInterface accepts and proceeds. This downgrade…
- risk 0.49cvss 7.6epss 0.00
Authentication Bypass by Capture-replay vulnerability in Elfatek Elektronics ANKA JPD-00028 allows Session Hijacking. This issue affects ANKA JPD-00028: before V.01.01.
- risk 0.49cvss 7.5epss 0.01
Authentication bypass by capture-replay vulnerability exists in Machine automation controller NX7 series all models V1.28 and earlier, Machine automation controller NX1 series all models V1.48 and earlier, and Machine automation controller NJ series all models V 1.48 and…
- risk 0.49cvss 7.5epss 0.01
A replay issue was discovered on Neato Botvac Connected 2.2.0 devices. Manual control mode requires authentication, but once recorded, the authentication (always transmitted in cleartext) can be replayed to /bin/webserver on port 8081. There are no nonces, and timestamps are not…
- risk 0.48cvss 7.4epss 0.00
A vulnerability has been identified in SIMATIC S7-1200 CPU V1 family (incl. SIPLUS variants) (All versions < V2.0.2), SIMATIC S7-1200 CPU V2 family (incl. SIPLUS variants) (All versions < V2.0.2). Affected controllers are vulnerable to capture-replay in the communication with…
- risk 0.46cvss 8.1epss 0.00
azureauthextension is the Azure Authenticator Extension. From 0.124.0 to 0.150.0, a server-side authentication bypass in azureauthextension allows any party who holds a single valid Azure access token for any scope the collector's configured identity can mint for to authenticate…
- risk 0.46cvss —epss 0.00
SMB forced authentication vulnerability in versions prior to 2025.35.000 of Sage 200 Spain. This vulnerability allows an authenticated attacker with administrator privileges to obtain NTLMv2-SSP Hash by changing any of the paths to a UNC path pointing to a server controlled by…
- risk 0.44cvss 6.8epss 0.00
Mengshen Wireless Door Alarm M70 2024-05-24 allows Authentication Bypass via a Capture-Replay approach.
- risk 0.44cvss 6.8epss 0.00
Western Digital has identified a security vulnerability in the Replay Protected Memory Block (RPMB) protocol as specified in multiple standards for storage device interfaces, including all versions of eMMC, UFS, and NVMe. The RPMB protocol is specified by industry standards…
- risk 0.42cvss 7.5epss 0.00
OpenClaw before 2026.3.28 contains a webhook replay vulnerability in Plivo V3 signature verification that canonicalizes query ordering for signatures but hashes raw URLs for replay detection. Attackers can reorder query parameters to bypass replay cache detection and trigger…
- risk 0.42cvss 7.5epss 0.00
mppx is a TypeScript interface for machine payments protocol. Prior to version 0.4.11, the tempo/session cooperative close handler validated the close voucher amount using "<" instead of "<=" against the on-chain settled amount. An attacker could submit a close voucher exactly…
- risk 0.42cvss 6.4epss 0.01
The Remote Keyless Entry (RKE) receiving unit on certain Nissan, Kia, and Hyundai vehicles through 2017 allows remote attackers to perform unlock operations and force a resynchronization after capturing two consecutive valid key fob signals over the radio, aka a RollBack attack.…
- risk 0.40cvss —epss 0.00
A weakness identified in OpenText Advanced Authentication where a Malicious browser plugin can record and replay the user authentication process to bypass Authentication. This issue affects Advanced Authentication on or before 6.5.0.
- risk 0.38cvss —epss —
### Impact The attacker, with one captured signed SOAP envelope from a victim and no other privileges, can invoke arbitrary operations on the service as the victim principal for the lifetime of the captured signing key. There is no rate limit on replays. The DetectReplays…