Enterprise Video Platform CVE-2026-12693
CRITICALSeverity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
Network-reachable IDOR needing no auth or interaction (AV:N/AC:L/PR:N/UI:N); user-controlled key exposes and alters other users' data (C:H/I:H) with limited availability effect (A:L).
Primary rating from Vendor (usom).
CVSS VectorVendor: usom
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
Lifecycle Timeline
2DescriptionCVE.org
Authorization bypass through User-Controlled key vulnerability in Vimesoft Inc. Enterprise Video Platform allows Accessing Functionality Not Properly Constrained by ACLs.
This issue affects Enterprise Video Platform: from 3.11.0.0 before 3.25.0.
AnalysisAI
Authorization bypass in Vimesoft Enterprise Video Platform (versions 3.11.0.0 up to but not including 3.25.0) lets remote unauthenticated attackers manipulate a user-controlled key (an IDOR-style reference) to reach functionality that should be restricted by access-control lists. Reported to Turkey's national CSIRT (USOM) with a CVSS 9.4, it enables reading and altering other tenants'/users' resources; no public exploit identified at time of analysis and the flaw is not in CISA KEV.
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | No special conditions - remote unauthenticated exploitation against default configurations of Vimesoft Enterprise Video Platform is indicated by the CVSS vector (AV:N/AC:L/PR:N/UI:N). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L) describes an easy-to-exploit, network-reachable, unauthenticated flaw with high confidentiality and integrity impact and low availability impact, yielding the 9.4 base score - a genuinely high-priority profile for an internet-facing video platform. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker reaches the platform over the network without credentials, intercepts or crafts a request that references a resource by its identifier, and increments or substitutes that identifier to point at another user's meeting, recording, or administrative function. Because the server does not re-check ownership, the attacker views or modifies content belonging to other users; no public POC was identified, but the low attack complexity makes manual discovery straightforward. |
| Remediation | Upgrade Enterprise Video Platform to version 3.25.0 or later, which is the first release outside the affected range per the NVD version data (Patch available per vendor advisory; consult TR-26-0574 at https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0574 and confirm the exact fixed build with Vimesoft before deployment). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, identify and document all Vimesoft Enterprise Video Platform instances running versions 3.11.0.0 through 3.24.x, implement network-level access restrictions to limit platform exposure, and enable enhanced API logging to detect unauthorized cross-tenant access. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today