Skip to main content

Enterprise Video Platform CVE-2026-12693

CRITICAL
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-07-17 iletisim@usom.gov.tr
9.4
CVSS 3.1 · Vendor: usom
Share

Severity by source

Vendor (usom) PRIMARY
9.4 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
vuln.today AI
9.4 CRITICAL

Network-reachable IDOR needing no auth or interaction (AV:N/AC:L/PR:N/UI:N); user-controlled key exposes and alters other users' data (C:H/I:H) with limited availability effect (A:L).

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (usom).

CVSS VectorVendor: usom

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
Low

Lifecycle Timeline

2
Analysis Generated
Jul 17, 2026 - 17:30 vuln.today
CVE Published
Jul 17, 2026 - 17:17 nvd
CRITICAL 9.4

DescriptionCVE.org

Authorization bypass through User-Controlled key vulnerability in Vimesoft Inc. Enterprise Video Platform allows Accessing Functionality Not Properly Constrained by ACLs.

This issue affects Enterprise Video Platform: from 3.11.0.0 before 3.25.0.

AnalysisAI

Authorization bypass in Vimesoft Enterprise Video Platform (versions 3.11.0.0 up to but not including 3.25.0) lets remote unauthenticated attackers manipulate a user-controlled key (an IDOR-style reference) to reach functionality that should be restricted by access-control lists. Reported to Turkey's national CSIRT (USOM) with a CVSS 9.4, it enables reading and altering other tenants'/users' resources; no public exploit identified at time of analysis and the flaw is not in CISA KEV.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach network-facing platform endpoint
Delivery
Enumerate valid resource identifiers
Exploit
Substitute user-controlled key in request
Execution
Bypass ACL authorization check
Impact
Access/modify other users' resources

Vulnerability AssessmentAI

Exploitation No special conditions - remote unauthenticated exploitation against default configurations of Vimesoft Enterprise Video Platform is indicated by the CVSS vector (AV:N/AC:L/PR:N/UI:N). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L) describes an easy-to-exploit, network-reachable, unauthenticated flaw with high confidentiality and integrity impact and low availability impact, yielding the 9.4 base score - a genuinely high-priority profile for an internet-facing video platform. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker reaches the platform over the network without credentials, intercepts or crafts a request that references a resource by its identifier, and increments or substitutes that identifier to point at another user's meeting, recording, or administrative function. Because the server does not re-check ownership, the attacker views or modifies content belonging to other users; no public POC was identified, but the low attack complexity makes manual discovery straightforward.
Remediation Upgrade Enterprise Video Platform to version 3.25.0 or later, which is the first release outside the affected range per the NVD version data (Patch available per vendor advisory; consult TR-26-0574 at https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0574 and confirm the exact fixed build with Vimesoft before deployment). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, identify and document all Vimesoft Enterprise Video Platform instances running versions 3.11.0.0 through 3.24.x, implement network-level access restrictions to limit platform exposure, and enable enhanced API logging to detect unauthorized cross-tenant access. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-12693 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy