VYPR

CWE-306

Missing Authentication for Critical Function

BaseDraftLikelihood: High

Description

The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

Hierarchy (View 1000)

Parents

Related attack patterns (CAPEC)

CAPEC-12 · CAPEC-166 · CAPEC-216 · CAPEC-36 · CAPEC-62

CVEs mapped to this weakness (964)

page 7 of 49
  • CVE-2025-35051CriOct 9, 2025
    risk 0.64cvss 9.8epss 0.01

    Newforma Project Center Server (NPCS) accepts serialized .NET data via the '/ProjectCenter.rem' endpoint on 9003/tcp, allowing a remote, unauthenticated attacker to execute arbitrary code with 'NT AUTHORITY\NetworkService' privileges. According to the recommended architecture,…

  • CVE-2025-41715CriSep 24, 2025
    risk 0.64cvss 9.8epss 0.00

    The database for the web application is exposed without authentication, allowing an unauthenticated remote attacker to gain unauthorized access and potentially compromise it.

  • CVE-2025-9971CriSep 17, 2025
    risk 0.64cvss 9.8epss 0.01

    Certain models of Industrial Cellular Gateway developed by Planet Technology have a Missing Authentication vulnerability, allowing unauthenticated remote attackers to manipulate the device via a specific functionality.

  • CVE-2025-10452CriSep 15, 2025
    risk 0.64cvss 9.8epss 0.01

    Statistical Database System developed by Gotac has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to read, modify, and delete database contents with high-level privileges.

  • CVE-2025-9994CriSep 9, 2025
    risk 0.64cvss 9.8epss 0.01

    The Amp’ed RF BT-AP 111 Bluetooth access point's HTTP admin interface does not have an authentication feature, allowing unauthorized access to anyone with network access.

  • CVE-2012-10062HigAug 30, 2025
    risk 0.64cvss epss 0.01

    A vulnerability in XAMPP, developed by Apache Friends, version 1.7.3's default WebDAV configuration allows remote authenticated attackers to upload and execute arbitrary PHP code. The WebDAV service, accessible via /webdav/, accepts HTTP PUT requests using default credentials.…

  • CVE-2025-8861CriAug 29, 2025
    risk 0.64cvss 9.8epss 0.00

    TSA developed by Changing has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to read, modify, and delete database contents.

  • CVE-2022-43110CriAug 22, 2025
    risk 0.64cvss 9.8epss 0.01

    Voltronic Power ViewPower through 1.04-21353 and PowerShield Netguard before 1.04-23292 allows a remote attacker to configure the system via an unspecified web interface. An unauthenticated remote attacker can make changes to the system including: changing the web interface…

  • CVE-2025-27214CriAug 21, 2025
    risk 0.64cvss 9.8epss 0.00

    A Missing Authentication for Critical Function vulnerability in the UniFi Connect EV Station Pro may allow a malicious actor with physical or adjacent access to perform an unauthorized factory reset. Affected Products: UniFi Connect EV Station Pro (Version 1.5.18 and…

  • CVE-2025-51543CriAug 19, 2025
    risk 0.64cvss 9.8epss 0.00

    An issue was discovered in Cicool builder 3.4.4 allowing attackers to reset the administrator's password via the /administrator/auth/reset_password endpoint.

  • CVE-2025-5095CriAug 8, 2025
    risk 0.64cvss 9.8epss 0.01

    Burk Technology ARC Solo's password change mechanism can be utilized without proper authentication procedures, allowing an attacker to take over the device. A password change request can be sent directly to the device's HTTP endpoint without providing valid credentials. The…

  • CVE-2025-8284CriAug 8, 2025
    risk 0.64cvss 9.8epss 0.01

    By default, the Packet Power Monitoring and Control Web Interface do not enforce authentication mechanisms. This vulnerability could allow unauthorized users to access and manipulate monitoring and control functions.

  • CVE-2025-6260CriJul 24, 2025
    risk 0.64cvss 9.8epss 0.00

    The embedded web server on the thermostat listed version ranges contain a vulnerability that allows unauthenticated attackers, either on the local area network or from the Internet via a router with port forwarding set up, to gain direct access to the thermostat's embedded web…

  • CVE-2025-34119HigJul 16, 2025
    risk 0.64cvss epss 0.02

    A remote file disclosure vulnerability exists in EasyCafe Server 2.2.14, exploitable by unauthenticated remote attackers via TCP port 831. The server listens for a custom protocol where opcode 0x43 can be used to request arbitrary files by absolute path. If the file exists and…

  • CVE-2025-3498CriJul 9, 2025
    risk 0.64cvss 9.9epss 0.00

    An unauthenticated user with management network access can get and modify the Radiflow iSAP Smart Collector (CentOS 7 - VSAP 1.20) configuration. The device has two web servers that expose unauthenticated REST APIs on the management network (TCP ports 8084 and 8086). An…

  • CVE-2025-5310CriJun 27, 2025
    risk 0.64cvss 9.8epss 0.01

    Dover Fueling Solutions ProGauge MagLink LX Consoles expose an undocumented and unauthenticated target communication framework (TCF) interface on a specific port. Files can be created, deleted, or modified, potentially leading to remote code execution.

  • CVE-2025-3699CriJun 26, 2025
    risk 0.64cvss 9.8epss 0.01

    Missing Authentication for Critical Function vulnerability in Mitsubishi Electric Corporation G-50 all versions, G-50-W all versions, G-50A all versions, GB-50 all versions, GB-50A all versions, GB-24A all versions, G-150AD all versions, AG-150A-A all versions, AG-150A-J all…

  • CVE-2025-1907CriMay 30, 2025
    risk 0.64cvss 9.8epss 0.01

    Instantel Micromate lacks authentication on a configuration port which could allow an attacker to execute commands if connected.

  • CVE-2025-41651CriMay 27, 2025
    risk 0.64cvss 9.8epss 0.01

    Due to missing authentication on a critical function of the devices an unauthenticated remote attacker can execute arbitrary commands, potentially enabling unauthorized upload or download of configuration files and leading to full system compromise.

  • CVE-2025-4555CriMay 12, 2025
    risk 0.64cvss 9.8epss 0.01

    The web management interface of Okcat Parking Management Platform from ZONG YU has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to directly access system functions. These functions include opening gates, viewing license plates and parking…