Severity by source
CVSS:4.0/AV:A/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:A/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
A vulnerability was determined in Dotouch XproUPF 2.0.0-release-088aa7c4. Affected is an unknown function of the component UPF. This manipulation causes improper access controls. A high degree of complexity is needed for the attack. The exploitability is told to be difficult. The vendor was contacted early about this disclosure.
AnalysisAI
Improper access controls in Dotouch XproUPF 2.0.0 (release 088aa7c4) allow local authenticated attackers to bypass authentication mechanisms and gain unauthorized access to restricted functionality within the UPF component. The vulnerability requires high attack complexity and valid user credentials but affects confidentiality, integrity, and availability of the affected system. No public exploit code or active exploitation has been identified at time of analysis.
Technical ContextAI
The vulnerability exists in the UPF (User Protocol Framework or similar) component of Dotouch XproUPF, a software utility for mobile device testing and management. CWE-284 (Improper Access Control) indicates that the component fails to properly enforce authorization checks, allowing authenticated users to access resources or perform operations beyond their intended privilege level. The CVE description identifies an 'unknown function' within UPF as vulnerable, suggesting either incomplete vulnerability details or deliberate disclosure redaction by the vendor. The attack vector is classified as Adjacent Network (AV:A), meaning an attacker must have local or close-range network access rather than direct internet-facing exposure.
RemediationAI
Contact Dotouch directly for patched version availability, as no public vendor advisory or patch version number has been identified in available sources. The CVE description states 'the vendor was contacted early about this disclosure,' indicating coordinated vulnerability response; request an ETA for a security update addressing the improper access control in the UPF component. As an interim compensating control, restrict network access to Dotouch XproUPF instances to trusted internal networks only and enforce principle of least privilege by granting UPF access only to users who require it for legitimate testing purposes. If UPF functionality can be disabled without operational impact, consider doing so until a patch is available. Monitor access logs for authentication bypass attempts (unusual privilege escalation or cross-user access within UPF) and implement network segmentation to limit lateral movement if the vulnerability is exploited.
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-28984
GHSA-c56c-rg8p-wh26