Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
3DescriptionCVE.org
In GenieACS 1.2.13, an unauthenticated access vulnerability exists in the NBI API endpoint.
AnalysisAI
Unauthenticated remote information disclosure in GenieACS 1.2.13 NBI API allows network-based attackers to read sensitive configuration data without authentication. The CVSS vector confirms zero authentication requirements (PR:N), enabling attackers to directly access the NBI API endpoint and exfiltrate high-confidentiality information. Publicly available exploit code exists. Attack complexity is low with no user interaction required. EPSS indicates low observed exploitation activity.
Technical ContextAI
Root cause is improper access control (CWE-284) on the NBI (Northbound Interface) API endpoint. The API fails to enforce authentication checks, accepting unauthenticated network requests. This allows direct HTTP/HTTPS access to API functions designed for authenticated device management operations, exposing configuration data and potentially customer premises equipment details.
RemediationAI
No vendor-released patch identified at time of analysis. Immediately restrict network access to the NBI API endpoint using firewall rules, reverse proxy authentication, or IP allowlisting to trusted management networks only. Monitor GenieACS GitHub repository (https://github.com/genieacs/genieacs/) for security advisories and version updates beyond 1.2.13. Implement API gateway with mandatory authentication. Conduct access log review for unauthorized NBI API connections. Consider temporarily disabling the NBI API if not operationally required until patch availability is confirmed. Refer to NVD advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-56015. Review proof-of-concept at https://github.com/e1st/CVE-2025-56015 to validate defensive controls.
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-209276
GHSA-2h6j-mhcp-9j9h