Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
Vitals ESP developed by Galaxy Software Services has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to execute certain functions to obtain sensitive information.
AnalysisAI
Vitals ESP, a software product developed by Galaxy Software Services, contains a Missing Authentication vulnerability that allows unauthenticated remote attackers to execute certain functions and obtain sensitive information. The vulnerability has a CVSS score of 7.5 (High) with network-based attack vector requiring no privileges or user interaction, resulting in high confidentiality impact. This issue was reported by Taiwan CERT (twcert) and is classified as an Authentication Bypass vulnerability.
Technical ContextAI
The vulnerability is rooted in CWE-306 (Missing Authentication for Critical Function), where Vitals ESP fails to properly authenticate users before allowing access to sensitive functionality. The affected product is identified via CPE as cpe:2.3:a:galaxy_software_services:vitals_esp, indicating this is a Galaxy Software Services application. Missing authentication vulnerabilities occur when critical functions or resources are accessible without requiring proof of identity, allowing unauthorized actors to bypass security controls entirely. In this case, the flaw enables remote attackers to invoke specific functions that expose sensitive information without any authentication challenge.
RemediationAI
Organizations should immediately consult the Taiwan CERT advisories at https://www.twcert.org.tw/tw/cp-132-10794-704a2-1.html and https://www.twcert.org.tw/en/cp-139-10795-25784-2.html for official remediation guidance and contact Galaxy Software Services for patch availability and upgrade instructions. Until patches can be applied, implement compensating controls including network segmentation to restrict access to Vitals ESP to trusted IP ranges only, deploy authentication at the network perimeter using reverse proxy or web application firewall with mandatory authentication requirements, and monitor access logs for suspicious activity targeting the vulnerable functions. Consider temporarily disabling remote access to the application if business operations permit until proper authentication mechanisms are implemented by the vendor.
More in Vitals Esp
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-14742
GHSA-5m6v-w55c-ph7p