CWE-306
Missing Authentication for Critical Function
Description
The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-12 · CAPEC-166 · CAPEC-216 · CAPEC-36 · CAPEC-62
CVEs mapped to this weakness (964)
page 7 of 49| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-35051 | Cri | 0.64 | 9.8 | 0.01 | Oct 9, 2025 | Newforma Project Center Server (NPCS) accepts serialized .NET data via the '/ProjectCenter.rem' endpoint on 9003/tcp, allowing a remote, unauthenticated attacker to execute arbitrary code with 'NT AUTHORITY\NetworkService' privileges. According to the recommended architecture,… | ||
| CVE-2025-41715 | — | Cri | 0.64 | 9.8 | 0.00 | Sep 24, 2025 | The database for the web application is exposed without authentication, allowing an unauthenticated remote attacker to gain unauthorized access and potentially compromise it. | |
| CVE-2025-9971 | Cri | 0.64 | 9.8 | 0.01 | Sep 17, 2025 | Certain models of Industrial Cellular Gateway developed by Planet Technology have a Missing Authentication vulnerability, allowing unauthenticated remote attackers to manipulate the device via a specific functionality. | ||
| CVE-2025-10452 | Cri | 0.64 | 9.8 | 0.01 | Sep 15, 2025 | Statistical Database System developed by Gotac has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to read, modify, and delete database contents with high-level privileges. | ||
| CVE-2025-9994 | Cri | 0.64 | 9.8 | 0.01 | Sep 9, 2025 | The Amp’ed RF BT-AP 111 Bluetooth access point's HTTP admin interface does not have an authentication feature, allowing unauthorized access to anyone with network access. | ||
| CVE-2012-10062 | Hig | 0.64 | — | 0.01 | Aug 30, 2025 | A vulnerability in XAMPP, developed by Apache Friends, version 1.7.3's default WebDAV configuration allows remote authenticated attackers to upload and execute arbitrary PHP code. The WebDAV service, accessible via /webdav/, accepts HTTP PUT requests using default credentials.… | ||
| CVE-2025-8861 | Cri | 0.64 | 9.8 | 0.00 | Aug 29, 2025 | TSA developed by Changing has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to read, modify, and delete database contents. | ||
| CVE-2022-43110 | Cri | 0.64 | 9.8 | 0.01 | Aug 22, 2025 | Voltronic Power ViewPower through 1.04-21353 and PowerShield Netguard before 1.04-23292 allows a remote attacker to configure the system via an unspecified web interface. An unauthenticated remote attacker can make changes to the system including: changing the web interface… | ||
| CVE-2025-27214 | Cri | 0.64 | 9.8 | 0.00 | Aug 21, 2025 | A Missing Authentication for Critical Function vulnerability in the UniFi Connect EV Station Pro may allow a malicious actor with physical or adjacent access to perform an unauthorized factory reset. Affected Products: UniFi Connect EV Station Pro (Version 1.5.18 and… | ||
| CVE-2025-51543 | Cri | 0.64 | 9.8 | 0.00 | Aug 19, 2025 | An issue was discovered in Cicool builder 3.4.4 allowing attackers to reset the administrator's password via the /administrator/auth/reset_password endpoint. | ||
| CVE-2025-5095 | Cri | 0.64 | 9.8 | 0.01 | Aug 8, 2025 | Burk Technology ARC Solo's password change mechanism can be utilized without proper authentication procedures, allowing an attacker to take over the device. A password change request can be sent directly to the device's HTTP endpoint without providing valid credentials. The… | ||
| CVE-2025-8284 | Cri | 0.64 | 9.8 | 0.01 | Aug 8, 2025 | By default, the Packet Power Monitoring and Control Web Interface do not enforce authentication mechanisms. This vulnerability could allow unauthorized users to access and manipulate monitoring and control functions. | ||
| CVE-2025-6260 | — | Cri | 0.64 | 9.8 | 0.00 | Jul 24, 2025 | The embedded web server on the thermostat listed version ranges contain a vulnerability that allows unauthenticated attackers, either on the local area network or from the Internet via a router with port forwarding set up, to gain direct access to the thermostat's embedded web… | |
| CVE-2025-34119 | Hig | 0.64 | — | 0.02 | Jul 16, 2025 | A remote file disclosure vulnerability exists in EasyCafe Server 2.2.14, exploitable by unauthenticated remote attackers via TCP port 831. The server listens for a custom protocol where opcode 0x43 can be used to request arbitrary files by absolute path. If the file exists and… | ||
| CVE-2025-3498 | Cri | 0.64 | 9.9 | 0.00 | Jul 9, 2025 | An unauthenticated user with management network access can get and modify the Radiflow iSAP Smart Collector (CentOS 7 - VSAP 1.20) configuration. The device has two web servers that expose unauthenticated REST APIs on the management network (TCP ports 8084 and 8086). An… | ||
| CVE-2025-5310 | Cri | 0.64 | 9.8 | 0.01 | Jun 27, 2025 | Dover Fueling Solutions ProGauge MagLink LX Consoles expose an undocumented and unauthenticated target communication framework (TCF) interface on a specific port. Files can be created, deleted, or modified, potentially leading to remote code execution. | ||
| CVE-2025-3699 | Cri | 0.64 | 9.8 | 0.01 | Jun 26, 2025 | Missing Authentication for Critical Function vulnerability in Mitsubishi Electric Corporation G-50 all versions, G-50-W all versions, G-50A all versions, GB-50 all versions, GB-50A all versions, GB-24A all versions, G-150AD all versions, AG-150A-A all versions, AG-150A-J all… | ||
| CVE-2025-1907 | Cri | 0.64 | 9.8 | 0.01 | May 30, 2025 | Instantel Micromate lacks authentication on a configuration port which could allow an attacker to execute commands if connected. | ||
| CVE-2025-41651 | — | Cri | 0.64 | 9.8 | 0.01 | May 27, 2025 | Due to missing authentication on a critical function of the devices an unauthenticated remote attacker can execute arbitrary commands, potentially enabling unauthorized upload or download of configuration files and leading to full system compromise. | |
| CVE-2025-4555 | Cri | 0.64 | 9.8 | 0.01 | May 12, 2025 | The web management interface of Okcat Parking Management Platform from ZONG YU has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to directly access system functions. These functions include opening gates, viewing license plates and parking… |
- risk 0.64cvss 9.8epss 0.01
Newforma Project Center Server (NPCS) accepts serialized .NET data via the '/ProjectCenter.rem' endpoint on 9003/tcp, allowing a remote, unauthenticated attacker to execute arbitrary code with 'NT AUTHORITY\NetworkService' privileges. According to the recommended architecture,…
- risk 0.64cvss 9.8epss 0.00
The database for the web application is exposed without authentication, allowing an unauthenticated remote attacker to gain unauthorized access and potentially compromise it.
- risk 0.64cvss 9.8epss 0.01
Certain models of Industrial Cellular Gateway developed by Planet Technology have a Missing Authentication vulnerability, allowing unauthenticated remote attackers to manipulate the device via a specific functionality.
- risk 0.64cvss 9.8epss 0.01
Statistical Database System developed by Gotac has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to read, modify, and delete database contents with high-level privileges.
- risk 0.64cvss 9.8epss 0.01
The Amp’ed RF BT-AP 111 Bluetooth access point's HTTP admin interface does not have an authentication feature, allowing unauthorized access to anyone with network access.
- risk 0.64cvss —epss 0.01
A vulnerability in XAMPP, developed by Apache Friends, version 1.7.3's default WebDAV configuration allows remote authenticated attackers to upload and execute arbitrary PHP code. The WebDAV service, accessible via /webdav/, accepts HTTP PUT requests using default credentials.…
- risk 0.64cvss 9.8epss 0.00
TSA developed by Changing has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to read, modify, and delete database contents.
- risk 0.64cvss 9.8epss 0.01
Voltronic Power ViewPower through 1.04-21353 and PowerShield Netguard before 1.04-23292 allows a remote attacker to configure the system via an unspecified web interface. An unauthenticated remote attacker can make changes to the system including: changing the web interface…
- risk 0.64cvss 9.8epss 0.00
A Missing Authentication for Critical Function vulnerability in the UniFi Connect EV Station Pro may allow a malicious actor with physical or adjacent access to perform an unauthorized factory reset. Affected Products: UniFi Connect EV Station Pro (Version 1.5.18 and…
- risk 0.64cvss 9.8epss 0.00
An issue was discovered in Cicool builder 3.4.4 allowing attackers to reset the administrator's password via the /administrator/auth/reset_password endpoint.
- risk 0.64cvss 9.8epss 0.01
Burk Technology ARC Solo's password change mechanism can be utilized without proper authentication procedures, allowing an attacker to take over the device. A password change request can be sent directly to the device's HTTP endpoint without providing valid credentials. The…
- risk 0.64cvss 9.8epss 0.01
By default, the Packet Power Monitoring and Control Web Interface do not enforce authentication mechanisms. This vulnerability could allow unauthorized users to access and manipulate monitoring and control functions.
- risk 0.64cvss 9.8epss 0.00
The embedded web server on the thermostat listed version ranges contain a vulnerability that allows unauthenticated attackers, either on the local area network or from the Internet via a router with port forwarding set up, to gain direct access to the thermostat's embedded web…
- risk 0.64cvss —epss 0.02
A remote file disclosure vulnerability exists in EasyCafe Server 2.2.14, exploitable by unauthenticated remote attackers via TCP port 831. The server listens for a custom protocol where opcode 0x43 can be used to request arbitrary files by absolute path. If the file exists and…
- risk 0.64cvss 9.9epss 0.00
An unauthenticated user with management network access can get and modify the Radiflow iSAP Smart Collector (CentOS 7 - VSAP 1.20) configuration. The device has two web servers that expose unauthenticated REST APIs on the management network (TCP ports 8084 and 8086). An…
- risk 0.64cvss 9.8epss 0.01
Dover Fueling Solutions ProGauge MagLink LX Consoles expose an undocumented and unauthenticated target communication framework (TCF) interface on a specific port. Files can be created, deleted, or modified, potentially leading to remote code execution.
- risk 0.64cvss 9.8epss 0.01
Missing Authentication for Critical Function vulnerability in Mitsubishi Electric Corporation G-50 all versions, G-50-W all versions, G-50A all versions, GB-50 all versions, GB-50A all versions, GB-24A all versions, G-150AD all versions, AG-150A-A all versions, AG-150A-J all…
- risk 0.64cvss 9.8epss 0.01
Instantel Micromate lacks authentication on a configuration port which could allow an attacker to execute commands if connected.
- risk 0.64cvss 9.8epss 0.01
Due to missing authentication on a critical function of the devices an unauthenticated remote attacker can execute arbitrary commands, potentially enabling unauthorized upload or download of configuration files and leading to full system compromise.
- risk 0.64cvss 9.8epss 0.01
The web management interface of Okcat Parking Management Platform from ZONG YU has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to directly access system functions. These functions include opening gates, viewing license plates and parking…