EUVD-2026-22236
GHSA-qw84-4pc7-fxvw
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionNVD
A vulnerability has been identified in SINEC NMS (All versions < V4.0 SP3). Affected products do not properly validate user authorization when processing password reset requests. This could allow an authenticated remote attacker to bypass authorization checks, leading to the ability to reset the password of any arbitrary user account.
AnalysisAI
SINEC NMS versions prior to V4.0 SP3 allow authenticated remote attackers to reset any user account password due to improper authorization validation (CWE-639). An attacker with low-privilege credentials can escalate to administrative access by resetting privileged user passwords, enabling complete system compromise with high impact to confidentiality, integrity, and availability (CVSS 8.8). …
Sign in for full analysis, threat intelligence, and remediation guidance.
RemediationAI
Within 24 hours: Identify all SINEC NMS deployments and document current versions; restrict network access to SINEC NMS administrative interfaces to trusted networks only. Within 7 days: Implement application-level monitoring for unauthorized password reset attempts; enforce multi-factor authentication for administrative accounts if supported by the product version. …
Sign in for detailed remediation steps.
Share
External POC / Exploit Code
Leaving vuln.today