Skip to main content

Mobile Application

3 CVEs product

Monthly

CVE-2026-1816 MEDIUM PATCH This Month

Brute force exploitation of the Turkiye Electricity Transmission Corporation (TEİAŞ) Mobile Application (versions 1.6.2 through before 1.13) is enabled by the complete absence of rate limiting or lockout controls on authentication attempts (CWE-307), allowing a network-accessible attacker to systematically enumerate user credentials. Successful exploitation results in high confidentiality impact - consistent with the 'Information Disclosure' tag and C:H CVSS metric - meaning account contents and potentially sensitive utility-related user data can be exposed. No public exploit code has been identified at time of analysis and the vulnerability is not listed in CISA KEV; however, a vendor-released patch is available and upgrade to version 1.13 is the indicated remediation.

Information Disclosure Mobile Application
NVD VulDB
CVSS 3.1
6.3
EPSS
0.0%
CVE-2026-1815 MEDIUM PATCH This Month

Insufficient session expiration in the Turkiye Electricity Transmission Corporation (TEİAŞ) Mobile Application versions 1.6.2 through before 1.13 permits session hijacking by failing to invalidate session tokens after logout or inactivity. An authenticated attacker who obtains a valid session token can reuse it to access the victim's account data, resulting in high-confidence exposure (C:H) with no integrity or availability impact. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog; however, the high confidentiality impact against an energy sector mobile application warrants prompt patching given the sensitivity of the target environment.

Information Disclosure Mobile Application
NVD VulDB
CVSS 3.1
5.7
EPSS
0.0%
CVE-2025-10681 HIGH PATCH This Week

Hardcoded storage credentials in Gardyn mobile application and device firmware grant unauthenticated remote attackers access to production cloud storage containers with excessive permissions. The CVSS v4.0 score of 8.8 reflects network-accessible attack vector with no complexity barriers, enabling high confidentiality impact and limited integrity/availability impact. CISA ICS-CERT disclosure indicates industrial/IoT context. No public exploit identified at time of analysis, though hardcoded credential vulnerabilities are trivial to exploit once discovered. EPSS data not available for this recent CVE.

Authentication Bypass Mobile Application Cloud Api
NVD GitHub VulDB
CVSS 4.0
8.8
EPSS
0.0%
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Brute force exploitation of the Turkiye Electricity Transmission Corporation (TEİAŞ) Mobile Application (versions 1.6.2 through before 1.13) is enabled by the complete absence of rate limiting or lockout controls on authentication attempts (CWE-307), allowing a network-accessible attacker to systematically enumerate user credentials. Successful exploitation results in high confidentiality impact - consistent with the 'Information Disclosure' tag and C:H CVSS metric - meaning account contents and potentially sensitive utility-related user data can be exposed. No public exploit code has been identified at time of analysis and the vulnerability is not listed in CISA KEV; however, a vendor-released patch is available and upgrade to version 1.13 is the indicated remediation.

Information Disclosure Mobile Application
NVD VulDB
EPSS 0% CVSS 5.7
MEDIUM PATCH This Month

Insufficient session expiration in the Turkiye Electricity Transmission Corporation (TEİAŞ) Mobile Application versions 1.6.2 through before 1.13 permits session hijacking by failing to invalidate session tokens after logout or inactivity. An authenticated attacker who obtains a valid session token can reuse it to access the victim's account data, resulting in high-confidence exposure (C:H) with no integrity or availability impact. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog; however, the high confidentiality impact against an energy sector mobile application warrants prompt patching given the sensitivity of the target environment.

Information Disclosure Mobile Application
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Hardcoded storage credentials in Gardyn mobile application and device firmware grant unauthenticated remote attackers access to production cloud storage containers with excessive permissions. The CVSS v4.0 score of 8.8 reflects network-accessible attack vector with no complexity barriers, enabling high confidentiality impact and limited integrity/availability impact. CISA ICS-CERT disclosure indicates industrial/IoT context. No public exploit identified at time of analysis, though hardcoded credential vulnerabilities are trivial to exploit once discovered. EPSS data not available for this recent CVE.

Authentication Bypass Mobile Application Cloud Api
NVD GitHub VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy