What is the CVSS score of EUVD-2025-16746?

EUVD-2025-16746 has a CVSS 3.1 base score of 6.5 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N. EPSS exploitation probability: 0.8%.

Which versions of Java are affected by EUVD-2025-16746?

CVE-2025-46548 presents notable security risk, a improper authentication vulnerability rated CVSS 6.5. This could allow unauthorized access to protected resources.. A patch is available.

Is there a public PoC exploit available for EUVD-2025-16746?

Yes, a public proof-of-concept exploit is available for EUVD-2025-16746. Prioritise patching immediately. EPSS: 0.8%.

How to fix or mitigate EUVD-2025-16746?

Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. Audit authentication configurations.

Java EUVD-2025-16746

| CVE-2025-46548 MEDIUM

Improper Authentication (CWE-287)

2025-06-03 security@apache.org

GHSA-9qvj-rpj8-v5c8

Java Authentication Bypass Akka Management Pekko Management

6.5

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

6.5 MEDIUM

AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

None

Lifecycle Timeline

EUVD ID Assigned

Mar 14, 2026 - 17:04 euvd

EUVD-2025-16746

Analysis Generated

Mar 14, 2026 - 17:04 vuln.today

Patch released

Mar 14, 2026 - 17:04 nvd

Patch available

PoC Detected

Jul 02, 2025 - 14:19 vuln.today

Public exploit code

CVE Published

Jun 03, 2025 - 15:15 nvd

MEDIUM 6.5

Blast Radius

ecosystem impact

† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth

4 maven packages depend on org.apache.pekko:pekko-management_2.12 (4 direct, 0 indirect)
16 maven packages depend on org.apache.pekko:pekko-management_2.13 (5 direct, 11 indirect)
20 maven packages depend on org.apache.pekko:pekko-management_3 (5 direct, 15 indirect)

Ecosystem-wide dependent count for version 1.1.1 and other introduced versions.

DescriptionCVE.org

If you enable Basic Authentication in Pekko Management using the Java DSL, the authenticator may not be properly applied.

Users that rely on authentication instead of making sure the Management API ports are only available to trusted users are recommended to upgrade to version 1.1.1, which fixes this issue.

Akka was affected by the same issue and has released the fix in version 1.6.1.

Analysis

If you enable Basic Authentication in Pekko Management using the Java DSL, the authenticator may not be properly applied.

Users that rely on authentication instead of making sure the Management API ports are only available to trusted users are recommended to upgrade to version 1.1.1, which fixes this issue.

Akka was affected by the same issue and has released the fix in version 1.6.1.

Technical ContextAI

An authentication bypass vulnerability allows attackers to circumvent login mechanisms and gain unauthorized access without valid credentials. This vulnerability is classified as Improper Authentication (CWE-287).

RemediationAI

A vendor patch is available — apply it immediately. Implement robust authentication mechanisms. Use multi-factor authentication. Review authentication logic for bypass conditions. Remove default credentials.