Skip to main content

Openaev

1 CVEs product

Monthly

CVE-2026-24467 CRITICAL PATCH Act Now

Account takeover in OpenAEV cyber adversary simulation platform (versions 1.0.0 through 2.0.12) allows remote unauthenticated attackers to reset any user's password via non-expiring 8-digit reset tokens. By mass-generating tokens (which never expire) and brute-forcing the small token space, attackers can reliably compromise administrator accounts within minutes, leading to full platform compromise including modification of payloads executed on all agent-deployed hosts. EPSS data not provided; no CISA KEV listing identified at time of analysis. Vendor-released patch available in version 2.0.13.

Information Disclosure Openaev
NVD GitHub
CVSS 3.1
9.0
EPSS
0.2%
EPSS 0% CVSS 9.0
CRITICAL PATCH Act Now

Account takeover in OpenAEV cyber adversary simulation platform (versions 1.0.0 through 2.0.12) allows remote unauthenticated attackers to reset any user's password via non-expiring 8-digit reset tokens. By mass-generating tokens (which never expire) and brute-forcing the small token space, attackers can reliably compromise administrator accounts within minutes, leading to full platform compromise including modification of payloads executed on all agent-deployed hosts. EPSS data not provided; no CISA KEV listing identified at time of analysis. Vendor-released patch available in version 2.0.13.

Information Disclosure Openaev
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy