Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:H/VA:H/SC:L/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:H/VA:H/SC:L/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
OpenPLC_V3 is vulnerable to an Initialization of a Resource with an Insecure Default vulnerability which could allow an attacker to gain access to the system by bypassing authentication via an API.
AnalysisAI
Authentication bypass in OpenPLC_V3 allows unauthenticated remote attackers to gain unauthorized system access through insecurely configured API endpoints. The vulnerability stems from insecure default resource initialization (CWE-1188), enabling complete circumvention of authentication mechanisms. Attackers can exploit this over the network with low attack complexity to achieve high confidentiality, integrity, and availability impact across vulnerable and subsequent systems. No public exploit identified at time of analysis.
Technical ContextAI
Root cause: insecure default initialization (CWE-1188) in API authentication layer. CVSS v4.0 vector confirms unauthenticated network attack (PR:N, AV:N) with cross-system impact (SC:L/SI:H/SA:H). Default credentials or missing authentication checks in API endpoints enable complete access control bypass without user interaction.
RemediationAI
No vendor-released patch identified at time of analysis. Immediate mitigation: disable or restrict network access to OpenPLC_V3 API endpoints via firewall rules permitting only trusted IP ranges. Implement reverse proxy with mandatory authentication layer before API. Change all default credentials if configurable. Monitor CISA ICS advisory ICSA-25-345-10 for vendor patch announcements: https://www.cisa.gov/news-events/ics-advisories/icsa-25-345-10. For production ICS environments, consider isolating affected systems on dedicated network segments with strict access controls until patches release.
More in Openplc V3
View allPlaintext credential storage in OpenPLC_V3 enables network-based attackers to retrieve authentication credentials withou
Authorization bypass in OpenPLC_V3 REST API allows authenticated low-privilege users to delete administrator accounts or
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-21009
GHSA-3r9q-7hff-7fm4