What is the CVSS score of EUVD-2025-209910?

EUVD-2025-209910 has a CVSS 3.1 base score of 7.1 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N. EPSS exploitation probability: 0.0%.

Which versions of WifiBurada are affected by EUVD-2025-209910?

Digital Operations Services Inc. WifiBurada (all versions through 21052026) contains an authentication bypass vulnerability that allows authenticated users to access other users' stored credentials…

How to fix or mitigate EUVD-2025-209910?

Within 24 hours: Inventory all WifiBurada deployments; identify systems storing user credentials or sensitive data; notify stakeholders of exposure risk. Within 7 days: Implement network access controls limiting WifiBurada connectivity to essential personnel only; disable credential storage features where operationally feasible; review and restrict user access permissions. Within 30 days: Evaluate alternative products without this vulnerability; establish vendor communication for patch timeline and availability of fixes for all versions through 21052026; conduct forensic review of access logs for potential credential exfiltration.

WifiBurada EUVD-2025-209910

| CVE-2025-13477 HIGH

Exposure of Private Personal Information to an Unauthorized Actor (CWE-359)

2026-05-21 TR-CERT

GHSA-xcwr-r6j4-69gg

Authentication Bypass

7.1

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

Low

Availability

None

Lifecycle Timeline

Analysis Generated

May 21, 2026 - 14:17 vuln.today

DescriptionNVD

Exposure of private personal information to an unauthorized actor, Insufficiently Protected Credentials vulnerability in Digital Operations Services Inc. WifiBurada allows Authentication Bypass.

This issue affects WifiBurada: through 21052026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Authentication bypass in Digital Operations Services Inc. WifiBurada (all versions through 21052026) allows authenticated remote attackers to access private personal information and credentials belonging to other users due to insufficient credential protection. The flaw, reported by TR-CERT and tracked as EUVD-2025-209910, carries a CVSS 7.1 score with high confidentiality impact; no public exploit identified at time of analysis and the vendor has not responded to disclosure attempts.

Technical ContextAI

WifiBurada is a Wi-Fi service application from Turkish vendor Digital Operations Services Inc., per the CPE string cpe:2.3:a:digital_operations_services_inc.:wifiburada. The underlying weakness is CWE-359 (Exposure of Private Personal Information to an Unauthorized Actor), compounded by insufficiently protected credentials. This class of flaw typically arises when an application stores or transmits PII and authentication material without adequate access controls, encryption, or session scoping, allowing one authenticated user (or low-privileged actor) to retrieve data belonging to other accounts and effectively bypass authentication boundaries for those identities.

RemediationAI

No vendor-released patch identified at time of analysis - the TR-CERT advisory explicitly notes that Digital Operations Services Inc. did not respond to coordinated disclosure attempts. Operators of WifiBurada should monitor https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0284 for updates and pressure the vendor directly. Compensating controls: restrict network access to the application's API/admin endpoints via firewall or VPN allowlisting to trusted users only (trade-off: breaks public hotspot self-service flows), rotate any credentials that may have been exposed and require users to reset passwords (trade-off: user friction), enable verbose access logging on the application tier to detect anomalous account-data enumeration patterns, and consider taking the affected instance offline if it processes sensitive PII until an official fix is released.

EUVD-2025-209910 vulnerability details – vuln.today

Back