Enterprise Video Platform
CVE-2026-12692
CRITICAL
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Network-reachable password-change endpoint requires no auth or interaction (AV:N/AC:L/PR:N/UI:N); account takeover yields full C/I/A impact within the app's unchanged scope.
Primary rating from Vendor (TR-CERT).
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionNVD
Unverified password change vulnerability in Vimesoft Inc. Enterprise Video Platform allows Authentication Bypass.
This issue affects Enterprise Video Platform: from 3.11.0.0 before 3.25.0.
AnalysisAI
Authentication bypass in Vimesoft Enterprise Video Platform (versions 3.11.0.0 up to but not including 3.25.0) lets a remote, unauthenticated attacker change a victim's password without verifying the existing credential (CWE-620), enabling full account takeover. Reported by Turkey's national CERT (TR-CERT/USOM) and rated CVSS 9.8, the flaw grants complete control over targeted accounts. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | No special conditions - remote unauthenticated exploitation against default configurations of Vimesoft Enterprise Video Platform, per the CVSS vector (AV:N/AC:L/PR:N/UI:N). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The published CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H = 9.8) describes a network-reachable, low-complexity, unauthenticated attack with full confidentiality, integrity, and availability impact on the compromised account - consistent with account takeover via an unverified password change. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who can reach the platform over the network sends a crafted request to the password-change/reset endpoint for a target user, and because the current credential or a valid reset token is not verified, the server sets an attacker-chosen password. The attacker then authenticates as that user and gains full control of the account. … |
| Remediation | Vendor-released patch: upgrade Enterprise Video Platform to version 3.25.0 or later, which is the first fixed release for the 3.11.0.0-3.24.x affected range. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all systems running Vimesoft Enterprise Video Platform versions 3.11.0.0 through 3.24.x and restrict their network accessibility from untrusted sources; activate security monitoring to baseline password-change activity and establish incident response readiness. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Enterprise Video Platform
View allSame weakness CWE-620 – Unverified Password Change
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today