How to fix EUVD-2025-209276?

Within 24 hours: Identify all GenieACS instances running version 1.2.13 and assess network exposure of the NBI API endpoint. Within 7 days: Implement network-level access controls (firewall rules, WAF) to restrict NBI API access to authorized management networks only, and evaluate upgrade feasibility to versions beyond 1.2.13. Within 30 days: Complete migration to a patched GenieACS version or deploy compensating controls if upgrade is not immediately possible; conduct forensic review of NBI API logs for unauthorized access attempts.

EUVD-2025-209276

| CVE-2025-56015 HIGH

2026-04-07 mitre

GHSA-2h6j-mhcp-9j9h

7.5

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Lifecycle Timeline

Analysis Generated

Apr 07, 2026 - 20:16 vuln.today

EUVD ID Assigned

Apr 07, 2026 - 20:16 euvd

EUVD-2025-209276

CVE Published

Apr 07, 2026 - 00:00 nvd

HIGH 7.5

Description

In GenieACS 1.2.13, an unauthenticated access vulnerability exists in the NBI API endpoint.

Analysis

Unauthenticated remote information disclosure in GenieACS 1.2.13 NBI API allows network-based attackers to read sensitive configuration data without authentication. The CVSS vector confirms zero authentication requirements (PR:N), enabling attackers to directly access the NBI API endpoint and exfiltrate high-confidentiality information. Publicly available exploit code exists. Attack complexity is low with no user interaction required. EPSS indicates low observed exploitation activity.

Technical Context

Root cause is improper access control (CWE-284) on the NBI (Northbound Interface) API endpoint. The API fails to enforce authentication checks, accepting unauthenticated network requests. This allows direct HTTP/HTTPS access to API functions designed for authenticated device management operations, exposing configuration data and potentially customer premises equipment details.

Affected Products

GenieACS version 1.2.13. GenieACS is an open-source Auto Configuration Server (ACS) for TR-069 device management. Vendor: GenieACS project. No CPE data available beyond generic placeholder.

Remediation

No vendor-released patch identified at time of analysis. Immediately restrict network access to the NBI API endpoint using firewall rules, reverse proxy authentication, or IP allowlisting to trusted management networks only. Monitor GenieACS GitHub repository (https://github.com/genieacs/genieacs/) for security advisories and version updates beyond 1.2.13. Implement API gateway with mandatory authentication. Conduct access log review for unauthorized NBI API connections. Consider temporarily disabling the NBI API if not operationally required until patch availability is confirmed. Refer to NVD advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-56015. Review proof-of-concept at https://github.com/e1st/CVE-2025-56015 to validate defensive controls.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +38

POC: 0

EUVD-2025-209276 vulnerability details – vuln.today

Back

EUVD-2025-209276

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

EUVD-2025-209276

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code