Skip to main content

Vitals Esp CVE-2026-4640

| EUVDEUVD-2026-14742 HIGH
Missing Authentication for Critical Function (CWE-306)
2026-03-24 twcert GHSA-5m6v-w55c-ph7p
8.7
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
CVSS changed
Apr 15, 2026 - 16:37 NVD
7.5 (HIGH) 8.7 (HIGH)
EUVD ID Assigned
Mar 24, 2026 - 05:15 euvd
EUVD-2026-14742
Analysis Generated
Mar 24, 2026 - 05:15 vuln.today
CVE Published
Mar 24, 2026 - 04:20 nvd
HIGH 7.5

DescriptionCVE.org

Vitals ESP developed by Galaxy Software Services has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to execute certain functions to obtain sensitive information.

AnalysisAI

Vitals ESP, a software product developed by Galaxy Software Services, contains a Missing Authentication vulnerability that allows unauthenticated remote attackers to execute certain functions and obtain sensitive information. The vulnerability has a CVSS score of 7.5 (High) with network-based attack vector requiring no privileges or user interaction, resulting in high confidentiality impact. This issue was reported by Taiwan CERT (twcert) and is classified as an Authentication Bypass vulnerability.

Technical ContextAI

The vulnerability is rooted in CWE-306 (Missing Authentication for Critical Function), where Vitals ESP fails to properly authenticate users before allowing access to sensitive functionality. The affected product is identified via CPE as cpe:2.3:a:galaxy_software_services:vitals_esp, indicating this is a Galaxy Software Services application. Missing authentication vulnerabilities occur when critical functions or resources are accessible without requiring proof of identity, allowing unauthorized actors to bypass security controls entirely. In this case, the flaw enables remote attackers to invoke specific functions that expose sensitive information without any authentication challenge.

RemediationAI

Organizations should immediately consult the Taiwan CERT advisories at https://www.twcert.org.tw/tw/cp-132-10794-704a2-1.html and https://www.twcert.org.tw/en/cp-139-10795-25784-2.html for official remediation guidance and contact Galaxy Software Services for patch availability and upgrade instructions. Until patches can be applied, implement compensating controls including network segmentation to restrict access to Vitals ESP to trusted IP ranges only, deploy authentication at the network perimeter using reverse proxy or web application firewall with mandatory authentication requirements, and monitor access logs for suspicious activity targeting the vulnerable functions. Consider temporarily disabling remote access to the application if business operations permit until proper authentication mechanisms are implemented by the vendor.

Share

CVE-2026-4640 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy