Gmission Web Fax CVE-2025-15070
MEDIUMSeverity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
Exposure of Sensitive Information to an Unauthorized Actor, Missing Authorization vulnerability in Gmission Web Fax allows Authentication Abuse.
This issue affects Web Fax: from 3.0 before 3.0.1
AnalysisAI
Sensitive information disclosure in Gmission Web Fax 3.0 (before 3.0.1) enables a locally authenticated low-privileged user to access protected fax data without proper authorization. The root cause is missing authorization checks (CWE-200) that can be abused by an authenticated local actor to read confidential information beyond their intended access scope. No public exploit code exists and this vulnerability is not listed in the CISA KEV catalog at time of analysis.
Technical ContextAI
The vulnerability affects the Gmission Web Fax software platform (cpe:2.3:a:gmission:web_fax:*:*:*:*:*:*:*:*), a web-based fax management application developed by Gmission (South Korean vendor). The root cause class is CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor), arising from absent or insufficient server-side authorization enforcement. The CVSS 4.0 vector (AV:L/AC:L/AT:N/PR:L/UI:N) confirms the flaw is exploitable locally with low-complexity conditions requiring only low-privilege credentials, with no attack target prerequisites and no user interaction. The 'Authentication Abuse' tag indicates that the authentication mechanism is present but the application fails to enforce downstream authorization - a low-privileged authenticated session can be leveraged to reach data objects the user should not be permitted to access.
RemediationAI
The primary fix is to upgrade Gmission Web Fax to version 3.0.1, which addresses the missing authorization controls. The vendor advisory is available at https://www.gmission.co.kr/fax1. If immediate upgrade is not possible, organizations should restrict local system access to the Web Fax application to only those users who require full access to sensitive fax data - for example, by enforcing OS-level access controls or limiting application account provisioning to reduce the pool of low-privileged users who can authenticate. Network-level controls are not applicable given the local attack vector. Tightening session and role-based access controls at the application layer, if configurable outside the patch, may also reduce exposure while awaiting upgrade.
Same weakness CWE-200 – Information Exposure
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today