VYPR

CWE-294

Authentication Bypass by Capture-replay

BaseIncompleteLikelihood: High

Description

A capture-replay flaw exists when the design of the product makes it possible for a malicious user to sniff network traffic and bypass authentication by replaying it to the server in question to the same effect as the original message (or with minor changes).

Capture-replay attacks are common and can be difficult to defeat without cryptography. They are a subset of network injection attacks that rely on observing previously-sent valid commands, then changing them slightly if necessary and resending the same commands to the server.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-102 · CAPEC-509 · CAPEC-555 · CAPEC-561 · CAPEC-60 · CAPEC-644 · CAPEC-645 · CAPEC-652 · CAPEC-701 · CAPEC-94

CVEs mapped to this weakness (89)

page 2 of 5
  • CVE-2025-13777HigMar 13, 2026
    risk 0.54cvss 8.3epss 0.00

    Authentication bypass by capture-replay vulnerability in ABB AWIN GW100 rev.2, ABB AWIN GW120.This issue affects AWIN GW100 rev.2: 2.0-0, 2.0-1; AWIN GW120: 1.2-0, 1.2-1.

  • CVE-2026-9095HigMay 28, 2026
    risk 0.53cvss 8.1epss 0.00

    Casdoor versions 2.362.0 and earlier map SAML assertions to user sessions without replay protection. The ParseSamlResponse() function in object/saml_sp.go calls sp.RetrieveAssertionInfo() and immediately maps the result to a user session. There is no assertion ID cache,…

  • CVE-2025-59023HigFeb 9, 2026
    risk 0.53cvss 8.2epss 0.00

    Crafted delegations or IP fragments can poison cached delegations in Recursor.

  • CVE-2019-13533HigDec 16, 2019
    risk 0.53cvss 8.1epss 0.01

    In Omron PLC CJ series, all versions, and Omron PLC CS series, all versions, an attacker could monitor traffic between the PLC and the controller and replay requests that could result in the opening and closing of industrial valves.

  • CVE-2017-5251HigFeb 22, 2018
    risk 0.53cvss 8.1epss 0.01

    In version 1012 and prior of Insteon's Insteon Hub, the radio transmissions used for communication between the hub and connected devices are not encrypted.

  • CVE-2025-54810HigSep 18, 2025
    risk 0.52cvss 8.0epss 0.00

    Cognex In-Sight Explorer and In-Sight Camera Firmware expose a proprietary protocol on TCP port 1069 to perform management operations such as modifying system properties. The user management functionality handles sensitive data such as registered usernames and passwords over…

  • CVE-2026-30080HigApr 8, 2026
    risk 0.49cvss 7.5epss 0.00

    OpenAirInterface v2.2.0 accepts Security Mode Complete without any integrity protection. Configuration has supported integrity NIA1 and NIA2. But if an UE sends initial registration request with only security capability IA0, OpenAirInterface accepts and proceeds. This downgrade…

  • CVE-2024-12137HigMar 19, 2025
    risk 0.49cvss 7.6epss 0.00

    Authentication Bypass by Capture-replay vulnerability in Elfatek Elektronics ANKA JPD-00028 allows Session Hijacking. This issue affects ANKA JPD-00028: before V.01.01.

  • CVE-2022-33971HigJul 4, 2022
    risk 0.49cvss 7.5epss 0.01

    Authentication bypass by capture-replay vulnerability exists in Machine automation controller NX7 series all models V1.28 and earlier, Machine automation controller NX1 series all models V1.48 and earlier, and Machine automation controller NJ series all models V 1.48 and…

  • CVE-2018-17176HigSep 18, 2018
    risk 0.49cvss 7.5epss 0.01

    A replay issue was discovered on Neato Botvac Connected 2.2.0 devices. Manual control mode requires authentication, but once recorded, the authentication (always transmitted in cleartext) can be replayed to /bin/webserver on port 8081. There are no nonces, and timestamps are not…

  • CVE-2011-20002HigOct 14, 2025
    risk 0.48cvss 7.4epss 0.00

    A vulnerability has been identified in SIMATIC S7-1200 CPU V1 family (incl. SIPLUS variants) (All versions < V2.0.2), SIMATIC S7-1200 CPU V2 family (incl. SIPLUS variants) (All versions < V2.0.2). Affected controllers are vulnerable to capture-replay in the communication with…

  • CVE-2026-42602HigMay 13, 2026
    risk 0.46cvss 8.1epss 0.00

    azureauthextension is the Azure Authenticator Extension. From 0.124.0 to 0.150.0, a server-side authentication bypass in azureauthextension allows any party who holds a single valid Azure access token for any scope the collector's configured identity can mint for to authenticate…

  • CVE-2025-1887HigMar 7, 2025
    risk 0.46cvss epss 0.00

    SMB forced authentication vulnerability in versions prior to 2025.35.000 of Sage 200 Spain. This vulnerability allows an authenticated attacker with administrator privileges to obtain NTLMv2-SSP Hash by changing any of the paths to a UNC path pointing to a server controlled by…

  • CVE-2024-37016MedJul 15, 2024
    risk 0.44cvss 6.8epss 0.00

    Mengshen Wireless Door Alarm M70 2024-05-24 allows Authentication Bypass via a Capture-Replay approach.

  • CVE-2020-13799MedNov 18, 2020
    risk 0.44cvss 6.8epss 0.00

    Western Digital has identified a security vulnerability in the Replay Protected Memory Block (RPMB) protocol as specified in multiple standards for storage device interfaces, including all versions of eMMC, UFS, and NVMe. The RPMB protocol is specified by industry standards…

  • CVE-2026-41395HigApr 28, 2026
    risk 0.42cvss 7.5epss 0.00

    OpenClaw before 2026.3.28 contains a webhook replay vulnerability in Plivo V3 signature verification that canonicalizes query ordering for signatures but hashes raw URLs for replay detection. Attackers can reorder query parameters to bypass replay cache detection and trigger…

  • CVE-2026-34209HigMar 31, 2026
    risk 0.42cvss 7.5epss 0.00

    mppx is a TypeScript interface for machine payments protocol. Prior to version 0.4.11, the tempo/session cooperative close handler validated the close voucher amount using "<" instead of "<=" against the on-chain settled amount. An attacker could submit a close voucher exactly…

  • CVE-2022-37418MedAug 24, 2022
    risk 0.42cvss 6.4epss 0.01

    The Remote Keyless Entry (RKE) receiving unit on certain Nissan, Kia, and Hyundai vehicles through 2017 allows remote attackers to perform unlock operations and force a resynchronization after capturing two consecutive valid key fob signals over the radio, aka a RollBack attack.…

  • CVE-2025-8616MedAug 6, 2025
    risk 0.40cvss epss 0.00

    A weakness identified in OpenText Advanced Authentication where a Malicious browser plugin can record and replay the user authentication process to bypass Authentication. This issue affects Advanced Authentication on or before 6.5.0.

  • CVE-2026-54783higJun 19, 2026
    risk 0.38cvss epss

    ### Impact The attacker, with one captured signed SOAP envelope from a victim and no other privileges, can invoke arbitrary operations on the service as the victim principal for the lifetime of the captured signing key. There is no rate limit on replays. The DetectReplays…