Skip to main content

Enterprise Video Platform CVE-2026-12692

CRITICAL
Unverified Password Change (CWE-620)
2026-07-17 TR-CERT
9.8
CVSS 3.1 · NVD
Share

Severity by source

Vendor (TR-CERT) PRIMARY
CRITICAL
qualitative
NVD
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
9.8 CRITICAL

Network-reachable password-change endpoint requires no auth or interaction (AV:N/AC:L/PR:N/UI:N); account takeover yields full C/I/A impact within the app's unchanged scope.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (TR-CERT).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jul 17, 2026 - 17:16 vuln.today
CVE Published
Jul 17, 2026 - 16:39 cve.org
CRITICAL 9.8

DescriptionNVD

Unverified password change vulnerability in Vimesoft Inc. Enterprise Video Platform allows Authentication Bypass.

This issue affects Enterprise Video Platform: from 3.11.0.0 before 3.25.0.

AnalysisAI

Authentication bypass in Vimesoft Enterprise Video Platform (versions 3.11.0.0 up to but not including 3.25.0) lets a remote, unauthenticated attacker change a victim's password without verifying the existing credential (CWE-620), enabling full account takeover. Reported by Turkey's national CERT (TR-CERT/USOM) and rated CVSS 9.8, the flaw grants complete control over targeted accounts. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach network-exposed platform
Delivery
Locate password-change/reset endpoint
Exploit
Submit unverified password change for target
Execution
Set attacker-controlled password
Persist
Log in as victim
Impact
Full account takeover

Vulnerability AssessmentAI

Exploitation No special conditions - remote unauthenticated exploitation against default configurations of Vimesoft Enterprise Video Platform, per the CVSS vector (AV:N/AC:L/PR:N/UI:N). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The published CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H = 9.8) describes a network-reachable, low-complexity, unauthenticated attack with full confidentiality, integrity, and availability impact on the compromised account - consistent with account takeover via an unverified password change. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who can reach the platform over the network sends a crafted request to the password-change/reset endpoint for a target user, and because the current credential or a valid reset token is not verified, the server sets an attacker-chosen password. The attacker then authenticates as that user and gains full control of the account. …
Remediation Vendor-released patch: upgrade Enterprise Video Platform to version 3.25.0 or later, which is the first fixed release for the 3.11.0.0-3.24.x affected range. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all systems running Vimesoft Enterprise Video Platform versions 3.11.0.0 through 3.24.x and restrict their network accessibility from untrusted sources; activate security monitoring to baseline password-change activity and establish incident response readiness. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-12692 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy