CVE-2025-3090

| EUVD-2025-27795 HIGH
2025-06-24 [email protected]
Authentication Bypass Denial Of Service Information Disclosure
8.2
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
High

Lifecycle Timeline

6
Analysis Updated
Apr 16, 2026 - 06:36 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
patch_available
Apr 16, 2026 - 05:29 EUVD
2.18.0
Analysis Generated
Mar 15, 2026 - 22:36 vuln.today
EUVD ID Assigned
Mar 15, 2026 - 22:36 euvd
EUVD-2025-27795
CVE Published
Jun 24, 2025 - 08:15 nvd
HIGH 8.2

DescriptionNVD

An unauthenticated remote attacker can obtain limited sensitive information and/or DoS the device due to missing authentication for critical function.

AnalysisAI

CVE-2025-3090 is a critical authentication bypass vulnerability affecting network devices that exposes a missing authentication requirement for sensitive functions. The vulnerability allows unauthenticated remote attackers to obtain limited sensitive information and trigger denial-of-service conditions without requiring any user interaction or special privileges. If actively exploited (KEV status pending confirmation), this represents an immediate threat to exposed devices as the attack vector is network-based with low complexity.

Technical ContextAI

This vulnerability stems from CWE-306 (Missing Authentication for Critical Function), a weakness where critical operations lack proper access controls. The affected system appears to be a network device (based on unauthenticated remote accessibility) that implements sensitive functions without enforcing authentication mechanisms at the API, protocol, or service level. The absence of authentication allows attackers to directly interact with critical functions over the network without credentials, bypassing standard identity verification and authorization checks. The limited information disclosure component suggests information enumeration capabilities (device details, configuration parameters), while the DoS aspect indicates attackers can stress resources or trigger uncontrolled operations.

RemediationAI

  1. Patch immediately: Identify the affected device vendor and product from CPE/advisory data; apply the highest available patched version. 2. Network segmentation: Restrict network access to sensitive functions by implementing firewall rules limiting access to trusted networks/IPs only. 3. Disable affected services: If patching is delayed, disable or restrict access to the critical functions identified in the vendor advisory until patches are applied. 4. Authentication enforcement: If the vendor provides interim mitigations, enable additional authentication layers or API gateways requiring credentials for function access. 5. Monitoring: Deploy IDS/IPS rules and log analysis to detect unauthenticated access attempts to critical functions. Consult vendor security advisories and KB articles for product-specific patch versions and workarounds once CVE-2025-3090 advisory details are published.

Share

CVE-2025-3090 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy