Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Network-accessible authentication bypass with no prerequisites; limited partial access impact and no scope change justify C:L/I:L and S:U.
Primary rating from Vendor (TR-CERT).
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
1DescriptionNVD
Authentication bypass by spoofing vulnerability in Hedef Media Promotion Interactive Media Marketing Inc. Related Marketing Cloud (RMC) allows Brute Force.
This issue affects Related Marketing Cloud (RMC): through 12052026.
AnalysisAI
Authentication bypass in Related Marketing Cloud (RMC) by Hedef Media Promotion Interactive Media Marketing Inc. exposes unauthenticated remote attackers to credential brute-forcing via a spoofing weakness (CWE-290), allowing them to circumvent authentication controls without prior access. All RMC versions through 12052026 are affected, and the CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms exploitation requires no privileges, no user interaction, and no special network positioning. No public exploit code or CISA KEV listing has been identified at time of analysis; the advisory originates from TR-CERT via the Turkish national cybersecurity authority.
Technical ContextAI
Related Marketing Cloud (RMC) is a SaaS-oriented interactive media marketing platform developed by Hedef Media Promotion Interactive Media Marketing Inc., identified in the CPE string as cpe:2.3:a:hedef_media_promotion_interactive_media_marketing_inc.:related_marketing_cloud_(rmc). The root cause is CWE-290, Authentication Bypass by Spoofing, a class of flaw in which the application relies on a forgeable or insufficient identity signal - such as a spoofed header, token, or IP address - to make authentication decisions. When this control fails, it also enables brute force attempts because the application's login-rate-limiting or account-lockout defenses may be bypassed alongside the identity check. The CVSS low-complexity rating indicates the bypass mechanism does not require deep knowledge of the target environment or advanced tooling.
RemediationAI
The primary remediation action is to consult the TR-CERT advisory at https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0370 and apply any vendor-released patch or updated version beyond 12052026 once confirmed available. No exact patched version number was provided in the available input data, so a vendor-released patch version is not independently confirmed at this time. As compensating controls pending a patch: restrict RMC login endpoints to known IP ranges or require VPN access to reduce the attack surface against unauthenticated brute force; implement an external web application firewall (WAF) rule to enforce request-rate limiting and lockout policies on authentication endpoints, mitigating the brute force enablement even if the underlying spoofing bypass persists. Note that rate-limiting at the WAF layer may add latency for legitimate users and does not address the root authentication bypass - it is a temporary measure only.
Same weakness CWE-290 – Authentication Bypass by Spoofing
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36486
GHSA-mhvh-8ggm-ccrx