Enterprise Video Platform CVE-2026-12694
CRITICALSeverity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Missing authorization on a network endpoint permits unauthenticated (PR:N), low-complexity state-changing calls affecting integrity and availability; no data disclosure, so C:N.
Primary rating from Vendor (usom).
CVSS VectorVendor: usom
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
Missing Authorization vulnerability in Vimesoft Inc. Enterprise Video Platform allows Accessing Functionality Not Properly Constrained by ACLs.
This issue affects Enterprise Video Platform: from 3.11.0.0 before 3.25.0.
AnalysisAI
Improper access control in Vimesoft Enterprise Video Platform (versions 3.11.0.0 up to but not including 3.25.0) allows remote unauthenticated attackers to invoke privileged functionality that is not properly constrained by access control lists. Because the missing authorization check exposes state-changing operations, an attacker can modify or disrupt platform data and availability without credentials. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Per the CVSS vector (AV:N/AC:L/PR:N/UI:N), no special conditions are required - remote unauthenticated exploitation is possible against network-reachable deployments of Enterprise Video Platform in the affected 3.11.0.0-3.24.x range. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score is 9.1 (Critical) with vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H, indicating network-reachable, low-complexity, unauthenticated exploitation with no user interaction and high impact to integrity and availability but no confidentiality impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who can reach the platform over the network sends a crafted request directly to a privileged function that lacks an authorization check, performing a state-changing action (such as altering configuration or media/session data) without holding an account. Because no authentication, user interaction, or special conditions are required, the request succeeds against a default deployment, damaging data integrity and service availability. … |
| Remediation | Upgrade Enterprise Video Platform to version 3.25.0 or later, which is the first release outside the affected range and therefore the vendor-released fixed version (Vendor-released patch: 3.25.0). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: inventory all Vimesoft deployments to identify affected versions (3.11.0.0-3.24.x); review platform audit logs for suspicious state-changing operations; restrict network access to the platform through firewall rules or network segmentation to minimize attack surface. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today