Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Network-accessible REST endpoint requires only low-privilege authentication; impact is purely availability loss with no confidentiality or integrity component, scoped to the single system.
Primary rating from Vendor (mitre).
CVSS VectorVendor: mitre
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
3DescriptionCVE.org
Incorrect access control in the /api/License/deactivateOffline endpoint of CAXPerts UniversalPlantViewer WebServices Server v2.7.6 allows authenticated attackers with low-level privileges to cause a Denial of Service (DoS) via removing the license from the webserver.
AnalysisAI
Incorrect access control in CAXPerts UniversalPlantViewer WebServices Server v2.7.6 allows any authenticated low-privilege user to invoke the /api/License/deactivateOffline endpoint and strip the server's license, rendering the service inoperable. The flaw (CWE-284) grants low-privileged accounts an action that should be restricted to administrative roles, providing a trivial denial-of-service primitive against industrial plant visualization infrastructure. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires network access to the UniversalPlantViewer WebServices Server API (CVSS AV:N confirms network reachability) and possession of any valid account with low-level privileges (CVSS PR:L) - no administrative account is needed. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD CVSS 3.1 base score of 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) is consistent with the described vulnerability: network-reachable endpoint, no user interaction, low complexity, but requiring at least a valid low-privilege account. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker or malicious insider who holds any valid low-privilege account on the UniversalPlantViewer WebServices Server authenticates normally and then sends an HTTP request to /api/License/deactivateOffline. The server processes the request without checking whether the caller is an administrator, removes the license, and the WebServices Server enters a non-functional state, denying service to all users of the plant visualization platform. … |
| Remediation | No vendor-released patch or fixed version has been identified at time of analysis - no advisory URL with a specific remediation version was included in the provided references, and the vendor sites (https://caxperts.com, https://universalplantviewer.com) should be monitored directly for patch availability. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44578
GHSA-467v-w526-45hg