Skip to main content

Authentication Bypass

auth CRITICAL

Authentication bypass attacks exploit flaws in the verification mechanisms that control access to systems and applications.

How It Works

Authentication bypass attacks exploit flaws in the verification mechanisms that control access to systems and applications. Instead of cracking passwords through brute force, attackers manipulate the authentication process itself to gain unauthorized entry. This typically occurs through one of several pathways: exploiting hardcoded credentials embedded in source code or configuration files, manipulating parameters in authentication requests to skip verification steps, or leveraging broken session management that fails to properly validate user identity.

The attack flow often begins with reconnaissance to identify authentication endpoints and their underlying logic. Attackers may probe for default administrative credentials that were never changed, test whether certain URL paths bypass login requirements entirely, or intercept and modify authentication tokens to escalate privileges. In multi-step authentication processes, flaws in state management can allow attackers to complete only partial verification steps while still gaining full access.

More sophisticated variants exploit single sign-on (SSO) or OAuth implementations where misconfigurations in trust relationships allow attackers to forge authentication assertions. Parameter tampering—such as changing a "role=user" field to "role=admin" in a request—can trick poorly designed systems into granting elevated access without proper verification.

Impact

  • Complete account takeover — attackers gain full control of user accounts, including administrative accounts, without knowing legitimate credentials
  • Unauthorized data access — ability to view, modify, or exfiltrate sensitive information including customer data, financial records, and intellectual property
  • System-wide compromise — admin-level access enables installation of backdoors, modification of security controls, and complete infrastructure takeover
  • Lateral movement — bypassed authentication provides a foothold for moving deeper into networks and accessing additional systems
  • Compliance violations — unauthorized access triggers breach notification requirements and regulatory penalties

Real-World Examples

CrushFTP suffered a critical authentication bypass allowing attackers to access file-sharing functionality without any credentials. The vulnerability enabled direct server-side template injection, leading to remote code execution on affected systems. Attackers actively exploited this in the wild to establish persistent access to enterprise file servers.

Palo Alto's Expedition migration tool contained a flaw permitting attackers to reset administrative credentials without authentication. This allowed complete takeover of the migration environment, potentially exposing network configurations and security policies being transferred between systems.

SolarWinds Web Help Desk (CVE-2024-28987) shipped with hardcoded internal credentials that could not be changed through normal administrative functions. Attackers discovering these credentials gained full administrative access to helpdesk systems containing sensitive organizational information and user data.

Mitigation

  • Implement multi-factor authentication (MFA) — requires attackers to compromise additional verification factors beyond bypassed primary authentication
  • Eliminate hardcoded credentials — use secure credential management systems and rotate all default credentials during deployment
  • Enforce authentication on all endpoints — verify every request requires valid authentication; no "hidden" administrative paths should exist
  • Implement proper session management — use cryptographically secure session tokens, validate on server-side, enforce timeout policies
  • Apply principle of least privilege — limit damage by ensuring even authenticated users only access necessary resources
  • Regular security testing — conduct penetration testing specifically targeting authentication logic and flows

Recent CVEs (31133)

EPSS 0% CVSS 4.7
MEDIUM PATCH This Month

Post-authentication command execution in NETGEAR Nighthawk RAX-series routers (RAX43, RAX45, RAX50, RAX54S, RAX54Sv2) permits an attacker already holding administrative credentials and adjacent network access to run unauthorized OS-level commands or code on the device. Rooted in CWE-20 (Improper Input Validation), the flaw bypasses authorization controls within the authenticated management session, yielding high integrity impact on the vulnerable system. No public exploit identified at time of analysis, though the CVSS 4.0 supplemental metric E:P indicates proof-of-concept code exists; a vendor-released patch is available from NETGEAR.

Authentication Bypass Netgear Rax43 +4
NVD
EPSS 0% CVSS 8.3
HIGH PATCH Exploit Unlikely This Week

Spoofing via origin validation error in the Windows Network Address Translation (NAT) component affects Windows 11 (24H2, 25H2, 26H1) and Windows Server 2025, including Server Core installations. An unauthenticated attacker positioned on an adjacent network segment can bypass origin/authentication checks (CWE-346) to impersonate a trusted source, with Microsoft rating scope-changed high impact to confidentiality, integrity, and availability (CVSS 8.3). No public exploit identified at time of analysis, though high attack complexity limits reliable exploitation.

Authentication Bypass Microsoft Windows 11 Version 24H2 +4
NVD
EPSS 0% CVSS 6.0
MEDIUM PATCH Exploit Likely This Month

Missing cryptographic step in Windows Boot Loader allows an authorized attacker to bypass a security feature locally.

Authentication Bypass Microsoft Windows 10 Version 1809 +16
NVD
EPSS 1% CVSS 8.1
HIGH PATCH Exploit Unlikely This Week

Privilege elevation in Microsoft 365 Copilot for iOS lets a remote, unauthenticated attacker gain elevated access after a targeted user is lured into interacting with attacker-controlled content, per Microsoft's MSRC advisory. The flaw stems from improper access control (CWE-284) and carries a High CVSS 3.1 base score of 8.1 with high confidentiality and integrity impact but no availability impact. No public exploit has been identified at time of analysis and it is not listed in CISA KEV, but a vendor patch is available.

Apple Authentication Bypass Microsoft +1
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Improper access control in Windows Kernel allows an authorized attacker to bypass a security feature locally.

Authentication Bypass Microsoft Windows 10 Version 1607 +17
NVD
EPSS 0% CVSS 7.8
HIGH PATCH Exploit Unlikely This Week

Local privilege escalation in Microsoft Windows Installer (msiexec/MSI service) lets an already-authenticated low-privilege user elevate to SYSTEM by abusing an improper authorization check (CWE-285). Affected platforms span Windows 10 (1607 through 22H2), Windows 11 (24H2/25H2/26H1), and Windows Server 2012 through 2025, including Server Core installations. Microsoft has released a patch; there is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV, so risk is currently potential rather than confirmed in-the-wild exploitation.

Authentication Bypass Microsoft Windows 10 Version 1607 +17
NVD
EPSS 1% CVSS 8.8
HIGH PATCH Exploit Unlikely This Week

Privilege elevation in Microsoft SharePoint Server (Enterprise Server 2016 and Server 2019) allows an authenticated network attacker to abuse an improper authorization check to gain higher privileges within the SharePoint environment. The flaw is tagged as an authentication bypass and carries a CVSS 8.8, reflecting high impact to confidentiality, integrity, and availability from a low-privileged starting point. Microsoft has released a patch; there is no public exploit identified at time of analysis and no CISA KEV listing.

Authentication Bypass Microsoft Microsoft Sharepoint Enterprise Server 2016 +1
NVD
EPSS 1% CVSS 7.5
HIGH PATCH Exploit Unlikely This Week

Denial of service in Microsoft .NET (versions 8.0, 9.0, and 10.0) allows a remote, unauthenticated attacker to crash or hang affected applications by triggering a type-confusion condition (CWE-843) over the network. The flaw was reported by Microsoft and a vendor patch is available via MSRC; there is no public exploit identified at time of analysis. The CVSS vector limits impact strictly to availability (A:H, C:N/I:N), meaning it is a service-disruption bug rather than a code-execution or data-exposure issue despite tag noise suggesting otherwise.

Authentication Bypass Memory Corruption Net 10 0 +2
NVD
EPSS 1% CVSS 8.8
HIGH PATCH This Week

Security-feature bypass in Microsoft Visual Studio Code lets a remote attacker deliver functionality from an untrusted control sphere (CWE-829) that circumvents a built-in protection, yielding high confidentiality, integrity, and availability impact once a victim opens or interacts with attacker-supplied content. Rated CVSS 8.8 (AV:N/AC:L/PR:N/UI:R), it requires user interaction but no authentication, and Microsoft has released a fix via MSRC. There is no public exploit identified at time of analysis and it is not on the CISA KEV list.

Authentication Bypass Visual Studio Code
NVD
EPSS 0% CVSS 7.8
HIGH PATCH Exploit Unlikely This Week

Local privilege elevation in the Windows Extensible Storage Engine (ESENT) database library allows an already-authenticated low-privileged user on affected Windows 10 1809, Windows Server 2019, 2022, and 2025 systems to gain higher privileges, with full loss of confidentiality, integrity, and availability. The flaw stems from improper access control (CWE-284) in a core OS component that services many system databases. Microsoft has released a patch; there is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Authentication Bypass Windows 10 Version 1809 Windows Server 2019 +4
NVD
EPSS 1% CVSS 5.9
MEDIUM PATCH This Month

Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Network File System allows an unauthorized attacker to execute code over a network.

Authentication Bypass Microsoft Race Condition +18
NVD
EPSS 1% CVSS 9.8
CRITICAL PATCH Exploit Likely Act Now

Remote code execution in the Windows Server Network driver stems from a race condition (CWE-362) that lets an unauthorized attacker execute arbitrary code across a wide range of Microsoft Windows client and server builds, from Windows 10 1607 and Server 2012 through Windows 11 26H1 and Server 2025. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N) indicates unauthenticated network exploitation with full confidentiality, integrity, and availability impact, and an 'Authentication Bypass' tag suggests the flaw can also subvert access controls. There is no public exploit identified at time of analysis and no CISA KEV listing, but the network-facing, pre-authentication nature makes it a high-priority patch.

Authentication Bypass Microsoft Race Condition +18
NVD
EPSS 1% CVSS 9.8
CRITICAL PATCH Exploit Unlikely Act Now

Remote code execution in Microsoft Windows Remote Desktop (RDP) allows an unauthorized network attacker to run arbitrary code by triggering the use of an uninitialized resource (CWE-908). All currently supported Windows client and server releases are affected, from Windows 10 1607 and Windows Server 2012 through Windows 11 26H1 and Windows Server 2025. The CVSS 3.1 base score is 9.8 with a network, no-privileges, no-interaction vector; there is no public exploit identified at time of analysis, and it is not listed in CISA KEV.

Authentication Bypass Microsoft Windows 10 Version 1607 +17
NVD
EPSS 0% CVSS 5.4
MEDIUM PATCH Exploit Unlikely This Month

Improper access control in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network.

Authentication Bypass Microsoft Microsoft Sharepoint Enterprise Server 2016 +2
NVD
EPSS 0% CVSS 7.8
HIGH PATCH Exploit Unlikely This Week

Local code execution in Microsoft Office Excel (2016, 2019, LTSC 2021/2024, Microsoft 365 Apps, Office for Mac, and Office Online Server) allows an attacker to run arbitrary code in the context of the current user when a victim opens a maliciously crafted spreadsheet. The flaw stems from use of an uninitialized resource (CWE-908) and carries a CVSS 7.8; it requires user interaction (opening the file) and no prior privileges. No public exploit identified at time of analysis, and it is not listed in CISA KEV, but a vendor patch is available.

Authentication Bypass Microsoft Microsoft 365 Apps For Enterprise +8
NVD
EPSS 1% CVSS 8.8
HIGH PATCH This Week

Privilege escalation in Microsoft SharePoint Server (Enterprise Server 2016, Server 2019, and Subscription Edition) lets an already-authenticated network user gain higher privileges by exploiting a missing authorization check (CWE-862). Any low-privileged account with access to the SharePoint web application can abuse the flaw to perform actions reserved for higher-privileged roles, with full confidentiality, integrity, and availability impact per the CVSS 8.8 rating. Microsoft has released a patch; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Authentication Bypass Microsoft Microsoft Sharepoint Enterprise Server 2016 +2
NVD
EPSS 1% CVSS 9.1
CRITICAL PATCH Exploit Likely Act Now

Security feature bypass in Microsoft SharePoint (Enterprise Server 2016, Server 2019, and Server Subscription Edition) lets a network-based, unauthenticated attacker defeat a weak-authentication protection mechanism (CWE-1390) to gain high-impact access to confidentiality and integrity. Rated CVSS 9.1 with no attacker privileges or user interaction required, this is a serious pre-authentication issue in a widely deployed collaboration platform. Microsoft has published a fix, and there is no public exploit identified at time of analysis.

Authentication Bypass Microsoft Microsoft Sharepoint Enterprise Server 2016 +2
NVD
EPSS 0% CVSS 7.8
HIGH PATCH Exploit Unlikely This Week

Local code execution in Microsoft Word (part of Microsoft 365 Apps, Office 2019, Office LTSC 2021/2024, and Office for Mac) stems from a double free of heap memory (CWE-415) that lets an unauthorized attacker run arbitrary code when a victim opens a malicious document. The flaw was reported by Microsoft, carries CVSS 7.8, and a vendor patch is available; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. Because exploitation requires the target to open a crafted file (UI:R), it is a user-interaction-gated client-side RCE rather than a remotely-triggerable service bug.

Authentication Bypass Microsoft Microsoft 365 Apps For Enterprise +10
NVD
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Arbitrary local code execution in Microsoft Office Excel (spanning Microsoft 365 Apps for Enterprise, Excel 2016, Office 2019, Office LTSC 2021/2024, the Office for Mac editions, and Office Online Server) lets an attacker run code in the current user's context when a victim opens a maliciously crafted spreadsheet. The flaw is an untrusted pointer dereference (CWE-822) triggered during file parsing; it requires user interaction but no prior privileges. No public exploit is identified at time of analysis, and a vendor patch is available from Microsoft (MSRC).

Authentication Bypass Microsoft Microsoft 365 Apps For Enterprise +8
NVD
EPSS 0% CVSS 7.8
HIGH PATCH Exploit Unlikely This Week

Local code execution in Microsoft Excel (and the broader Office suite through Microsoft 365 Apps, Office 2019/2021/2024 LTSC, Office for Mac, and Office Online Server) arises from an integer underflow (CWE-191) in Excel's file parsing, letting an attacker run arbitrary code in the context of the user who opens a maliciously crafted spreadsheet. The CVSS 3.1 vector (AV:L/AC:L/PR:N/UI:R) shows no attacker privileges are needed but the victim must open the file, giving full confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, and it is not listed in CISA KEV; a vendor patch is available.

Authentication Bypass Microsoft Integer Overflow +9
NVD
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local code execution in Microsoft Excel (Microsoft 365 Apps, Office 2019/LTSC 2021/2024, Office for Mac, and Office Online Server) arises from a type-confusion flaw (CWE-843) in how Excel parses spreadsheet content. An attacker who convinces a victim to open a malicious workbook can run arbitrary code in the context of the current user, gaining high confidentiality, integrity, and availability impact. Reported by Microsoft with a patch available; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Microsoft Memory Corruption Authentication Bypass +9
NVD
EPSS 0% CVSS 7.8
HIGH PATCH Exploit Unlikely This Week

Local arbitrary code execution in Microsoft Office (2016, 2019, LTSC 2021/2024, Microsoft 365 Apps for Enterprise, and Office for Mac 2021/2024) arises from a type-confusion flaw (CWE-843) that lets an attacker run code in the context of the current user when a victim opens a crafted file. The CVSS 3.1 base score is 7.8 (AV:L/AC:L/PR:N/UI:R) reflecting local vector with required user interaction and high impact to confidentiality, integrity, and availability. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but a vendor patch is available via MSRC.

Microsoft Memory Corruption Authentication Bypass +8
NVD
EPSS 0% CVSS 7.8
HIGH PATCH Exploit Unlikely This Week

Local code execution in Microsoft Excel (Office 2016 through LTSC 2024, Microsoft 365 Apps, and Mac editions) allows an attacker to run arbitrary code by tricking a user into opening a maliciously crafted spreadsheet that triggers a type-confusion condition in Excel's file parser. The CVSS 3.1 score is 7.8 (High) with the local vector reflecting file-open exploitation rather than remote-network access, and success requires user interaction. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Microsoft Memory Corruption Authentication Bypass +9
NVD
EPSS 1% CVSS 8.1
HIGH PATCH Exploit Unlikely This Week

Remote code execution in Microsoft Windows OLE (Object Linking and Embedding) allows an unauthorized network attacker to run arbitrary code by triggering a type-confusion condition (CWE-843) in the OLE component. The flaw affects a broad range of client and server SKUs from Windows 10 1607 through Windows 11 26H1 and Windows Server 2012 R2 through Server 2025, and carries a CVSS 8.1 (High) rating. No privileges or authentication are required per the CVSS vector, though the high attack complexity (AC:H) means exploitation depends on winning a specific timing or memory-state condition; there is no public exploit identified at time of analysis and it is not on CISA KEV.

Microsoft Memory Corruption Authentication Bypass +16
NVD
EPSS 1% CVSS 8.8
HIGH PATCH Exploit Unlikely This Week

Privilege escalation in Microsoft Active Directory Certificate Services (AD CS) allows an authenticated network attacker to elevate privileges due to improper authorization (CWE-285) in certificate request/enrollment handling across Windows Server 2012 through 2025 and their Server Core installations. With a CVSS 3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N) and full high impact to confidentiality, integrity, and availability, a low-privileged domain user can abuse AD CS authorization checks to gain elevated rights, potentially up to domain compromise. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but AD CS abuse (ESC-class attacks) is a well-established, high-value target class.

Authentication Bypass Windows 10 Version 1607 Windows 10 Version 1809 +11
NVD
EPSS 0% CVSS 6.1
MEDIUM POC PATCH Exploit Unlikely This Month

Protection mechanism failure in Windows BitLocker allows an unauthorized attacker to bypass a security feature with a physical attack.

Authentication Bypass Microsoft Windows 10 Version 1607 +13
NVD GitHub
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local code execution in the GitHub Copilot plugin for JetBrains IDEs allows an unauthorized attacker to run arbitrary code on a developer's machine by leveraging improper restriction of file/resource names (CWE-641), with exploitation requiring the victim to perform an action (UI:R). Rated CVSS 7.8 (high) with full confidentiality, integrity, and availability impact, this is a local-vector flaw affecting developers running the Copilot extension; no public exploit identified at time of analysis and it is not listed in CISA KEV. Microsoft has published a fix advisory (MSRC CVE-2026-50510).

Authentication Bypass Github Copilot Plugin For Jetbrains Ides
NVD
HIGH PATCH This Week

Unauthenticated arbitrary file write in OpenCost (all versions up to and including releases before 1.119.1) lets remote clients POST to the /serviceKey endpoint and overwrite the GCP service account key file (key.json) with attacker-controlled content, with no authentication and no input validation. An attacker can either corrupt the credential file to break GCP cost collection or inject their own valid service-account key to redirect the target's billing/cost data to an attacker-owned GCP project. Publicly available exploit code exists (a full reproducible PoC is in the GHSA advisory); no public evidence of active exploitation and no CISA KEV listing.

Privilege Escalation Authentication Bypass Kubernetes +1
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM PATCH Exploit Unlikely This Month

Local tampering in Windows DNS via improper access control (CWE-284) allows a low-privilege authenticated local user to manipulate DNS configuration or records across a broad range of Windows 10, Windows 11, and Windows Server releases. The CVSS vector (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L) confirms exploitation requires only a valid local account with no elevated privileges, yielding high integrity impact with minimal availability disruption and no direct confidentiality exposure. No public exploit code or CISA KEV listing has been identified at time of analysis, but the 'Authentication Bypass' advisory tag suggests DNS tampering may enable downstream bypass of authentication mechanisms dependent on DNS resolution, potentially amplifying the effective impact beyond the raw CVSS score.

Authentication Bypass Microsoft Windows 10 Version 1809 +10
NVD
EPSS 1% CVSS 7.5
HIGH PATCH Exploit Unlikely This Week

Denial of service in the Windows Domain Controller role on Windows Server 2025 (including Server Core) and Windows 11 24H2/25H2/26H1 lets a remote, unauthenticated attacker crash or hang authentication services by triggering an untrusted pointer dereference over the network. Because the CVSS vector is PR:N/UI:N with A:H and no confidentiality or integrity impact, a single crafted network exchange can disrupt directory and logon services domain-wide without credentials. No public exploit identified at time of analysis, and it is not on CISA KEV; Microsoft has released a patch.

Authentication Bypass Microsoft Windows 11 Version 24H2 +4
NVD
EPSS 1% CVSS 8.8
HIGH PATCH Exploit Unlikely This Week

Privilege elevation in Microsoft's Windows Server Update Services (WSUS) role allows a network-based, low-privileged attacker to gain higher privileges due to a missing authentication check on a critical function (CWE-306). The flaw affects WSUS as shipped on Windows Server 2012 through 2025 (and client builds Windows 10 1607/1809), with a CVSS 3.1 base score of 8.8; Microsoft has released a patch. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the network-reachable, low-complexity nature makes this a high-priority patch for update-management infrastructure.

Authentication Bypass Microsoft Windows 10 Version 1607 +12
NVD
EPSS 0% CVSS 7.1
HIGH PATCH Exploit Unlikely This Week

Local integrity and availability tampering in the Microsoft Windows DNS component affects Windows 11 (24H2, 25H2, 26H1) and Windows Server 2025 (including Server Core), where an authorized attacker with low privileges can abuse improper access control to modify DNS data or disrupt the service. Microsoft self-reported the issue and has released a patch. There is no public exploit identified at time of analysis, and the flaw is not listed in CISA KEV, so exploitation would currently require local access on an already-compromised or shared host.

Authentication Bypass Microsoft Windows 11 Version 24H2 +4
NVD
EPSS 0% CVSS 7.1
HIGH PATCH Exploit Unlikely This Week

Local privilege escalation in Windows Routing and Remote Access Service (RRAS) allows a low-privileged authenticated user to elevate to higher privileges on affected Windows 10, Windows 11, and Windows Server 2012 through 2025 systems. The flaw stems from a missing authentication check on a critical RRAS function (CWE-306), letting an already-authorized local attacker invoke privileged functionality without proper authorization. Microsoft has released a patch; there is no public exploit identified at time of analysis.

Authentication Bypass Microsoft Windows 10 Version 1607 +17
NVD
EPSS 0% CVSS 8.0
HIGH PATCH Exploit Unlikely This Week

Elevation of privilege in the Microsoft Windows RPC API lets an unauthenticated attacker on an adjacent network gain higher privileges by exploiting an improper authentication weakness (CWE-287), provided a user is lured into an interaction. The flaw spans a broad range of client and server builds from Windows Server 2012 through Windows Server 2025 and Windows 10 1607 through Windows 11 26H1. No public exploit identified at time of analysis; the issue was reported by Microsoft, which has released a fix.

Authentication Bypass Microsoft Windows 10 Version 1607 +17
NVD
EPSS 0% CVSS 7.8
HIGH PATCH Exploit Unlikely This Week

Local privilege escalation in the Windows OLE (Object Linking and Embedding) component allows an already-authenticated, low-privileged user on affected Windows and Windows Server builds to elevate to higher privileges through an improper authorization check (CWE-285). Microsoft has released a patch, and no public exploit has been identified at time of analysis. Impact is high across confidentiality, integrity, and availability, though exploitation requires prior local code execution.

Authentication Bypass Microsoft Windows 10 Version 1607 +17
NVD
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation in the Microsoft Windows RPC Runtime lets an already-authenticated low-privileged user gain SYSTEM-level control due to improper authorization (CWE-285). Affecting a broad range of Windows client and server releases from Windows Server 2012 through Windows 11 26H1 and Server 2025, the flaw carries CVSS 7.8 with high confidentiality, integrity, and availability impact. Reported by Microsoft with a patch available; no public exploit identified at time of analysis and it is not listed in CISA KEV.

Authentication Bypass Windows 10 Version 1607 Windows 10 Version 1809 +16
NVD
EPSS 2% CVSS 7.8
HIGH POC PATCH Exploit Likely This Week

Local privilege escalation in the Microsoft Windows Kernel allows an already-authenticated attacker to elevate to SYSTEM-level privileges across a wide range of Windows 10, Windows 11, and Windows Server builds. The flaw stems from improper access control (CWE-284) in kernel-mode code and requires local low-privileged access with no user interaction. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the trivial attack complexity and SYSTEM-level impact make it a standard patch-Tuesday priority.

Authentication Bypass Microsoft Windows 10 Version 21H2 +7
NVD
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Improper access control in Windows System allows an unauthorized attacker to bypass a security feature locally.

Authentication Bypass Microsoft Windows 11 Version 24H2 +5
NVD
EPSS 1% CVSS 8.1
HIGH PATCH This Week

Elevation of privilege in Microsoft Windows Runtime (WinRT) lets a remote, unauthenticated attacker win a timing window in a shared-resource race condition and gain higher privileges across a broad range of Windows client and server releases (Windows 10 1809 through Windows 11 26H1 and Windows Server 2019/2022/2025). Microsoft-reported and patched, the flaw carries CVSS 8.1, driven by full confidentiality, integrity, and availability impact but tempered by high attack complexity. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Authentication Bypass Microsoft Race Condition +11
NVD
EPSS 0% CVSS 7.8
HIGH PATCH Exploit Unlikely This Week

Local privilege escalation in the Microsoft Windows Search component lets an already-authenticated low-privilege user gain SYSTEM-level rights through improper access control (CWE-284). It affects all currently supported Windows client and server builds from Windows 10 1809 through Windows 11 26H1 and Windows Server 2019 through 2025. There is no public exploit identified at time of analysis, and it is not listed in CISA KEV, but Microsoft has released a patch.

Authentication Bypass Microsoft Windows 10 Version 1809 +10
NVD
EPSS 0% CVSS 7.8
HIGH PATCH Exploit Unlikely This Week

Elevation of privilege in Microsoft Windows (Windows 10 1809/21H2/22H2, Windows 11 24H2/25H2/26H1, and Windows Server 2019/2022/2025) allows a locally authenticated attacker to escalate to higher privileges via an improper access control weakness (CWE-284). An attacker who already holds a low-privilege foothold on the host can gain full confidentiality, integrity, and availability impact over the system. No public exploit identified at time of analysis, though the flaw was reported by Microsoft and a vendor patch is available.

Authentication Bypass Microsoft Windows 10 Version 1809 +10
NVD
EPSS 0% CVSS 7.0
HIGH PATCH This Week

Privilege escalation in the Windows Runtime (WinRT) allows a network-based, unauthenticated attacker to win a race condition and gain elevated privileges on affected Windows 10, Windows 11 (through 26H1), and Windows Server 2019-2025 systems. Microsoft self-reported the flaw and has shipped a fix; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. The CVSS vector (AV:N/AC:H) reflects a real but timing-dependent attack that is non-trivial to reproduce reliably.

Authentication Bypass Microsoft Race Condition +11
NVD
EPSS 0% CVSS 7.0
HIGH PATCH This Week

Network-based privilege elevation in the Windows Runtime (WinRT) affects a broad range of Microsoft platforms including Windows 10 (1809 through 22H2), Windows 11 (24H2/25H2/26H1), and Windows Server 2019/2022/2025. An unauthorized attacker who wins a timing race in the improperly synchronized shared-resource handling can gain elevated privileges, with the vulnerability carrying an implicit authentication-bypass characteristic per vendor tags. No public exploit has been identified at time of analysis, and the high attack complexity (AC:H) reflects the need to reliably win a race window.

Authentication Bypass Microsoft Race Condition +11
NVD
EPSS 1% CVSS 7.5
HIGH PATCH Exploit Unlikely This Week

Denial of service in Microsoft Windows Server Update Services (WSUS) lets a remote, unauthenticated attacker crash or disrupt the update service by triggering an uncaught exception over the network. The flaw affects WSUS across Windows Server 2012 through 2025 (plus Windows 10 1607/1809 servicing components), and the CVSS 3.1 availability-only vector (A:H) indicates service unavailability rather than data compromise. No public exploit identified at time of analysis, but a vendor patch is available and the flaw is network-reachable without authentication.

Authentication Bypass Microsoft Windows 10 Version 1607 +12
NVD
EPSS 0% CVSS 4.2
MEDIUM PATCH This Month

Improper certificate validation in Windows Cryptographic Services allows an unauthorized attacker to bypass a security feature over a network.

Authentication Bypass Microsoft Windows 10 Version 21H2 +7
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH Exploit Unlikely This Month

Use of a cryptographic primitive with a risky implementation in Windows Key Guard allows an authorized attacker to bypass a security feature locally.

Authentication Bypass Microsoft Windows 10 Version 1809 +10
NVD
EPSS 0% CVSS 7.0
HIGH PATCH Exploit Likely This Week

Privilege escalation in the Windows Win32K kernel-mode subsystem lets an already-authenticated local user gain SYSTEM-level control across a broad range of Windows client and server releases (Windows 10 1607 through Windows 11 26H1, and Windows Server 2012 through Server 2025). Rooted in improper access control (CWE-284), successful exploitation yields full confidentiality, integrity, and availability impact on the host. There is no public exploit identified at time of analysis and the CVSS vector's high attack complexity (AC:H) tempers the practical risk.

Authentication Bypass Microsoft Windows 10 Version 1607 +17
NVD
EPSS 0% CVSS 7.0
HIGH PATCH Exploit Likely This Week

Local privilege escalation in the Windows Win32K kernel-mode subsystem allows an already-authenticated, low-privileged user to elevate to SYSTEM through improper access control (CWE-284). Affected builds span Windows 10 (1607 through 22H2), Windows 11 (24H2/25H2/26H1), and Windows Server 2012 through 2025. No public exploit identified at time of analysis, and it is not listed in CISA KEV; Microsoft has released a patch.

Authentication Bypass Microsoft Windows 10 Version 1607 +17
NVD
EPSS 0% CVSS 8.8
HIGH PATCH Exploit Unlikely This Week

Local privilege escalation in the Windows MIDI Service Module on Windows 11 (versions 24H2, 25H2, and 26H1) lets an already-authenticated local user gain elevated privileges by abusing improper access control (CWE-284). Because the CVSS scope is changed (S:C), a successful attack breaks out of the service's context to compromise confidentiality, integrity, and availability of the broader system, effectively yielding SYSTEM-level control. Microsoft has released a patch; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Authentication Bypass Microsoft Windows 11 Version 24H2 +2
NVD
EPSS 3% CVSS 7.8
HIGH PATCH Exploit Likely This Week

Local privilege escalation in the Windows Audio Compression Manager (ACM) allows a low-privileged authenticated user to elevate to higher privileges (CVSS 7.8, CWE-284 improper access control). It affects a broad Windows fleet spanning Windows 10 (1607 through 22H2), Windows 11 (24H2/25H2/26H1), and Windows Server 2012 through 2025. Reported by Microsoft with a patch available; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Authentication Bypass Microsoft Windows 10 Version 1607 +17
NVD
EPSS 2% CVSS 7.0
HIGH PATCH Exploit Likely This Week

Local privilege escalation in the Windows Win32K kernel-mode subsystem allows an already-authenticated low-privileged user to elevate to SYSTEM through an improper access-control flaw. The issue affects a broad range of Windows client and server releases, from Windows 10 1607 and Windows Server 2012 through Windows 11 26H1 and Windows Server 2025. Microsoft has released a patch; there is no public exploit identified at time of analysis, and the flaw is not listed in CISA KEV.

Authentication Bypass Microsoft Windows 10 Version 1607 +17
NVD
EPSS 0% CVSS 7.8
HIGH PATCH Exploit Unlikely This Week

Local privilege escalation in the Windows Spaceport.sys Storage Spaces driver lets an already-authenticated low-privileged user gain SYSTEM-level control across Windows 10, Windows 11, and Windows Server 2016 through 2025. The flaw stems from a missing authentication check on a critical driver function (CWE-306), and Microsoft has released a patch; no public exploit has been identified at time of analysis. With CVSS 7.8 (local, low-privilege) and full confidentiality, integrity, and availability impact, it is a strong candidate for chaining after an initial foothold.

Authentication Bypass Microsoft Windows 10 Version 1607 +13
NVD
EPSS 0% CVSS 7.8
HIGH PATCH Exploit Unlikely This Week

Elevation of privilege in Microsoft Windows (Server 2012 through 2025 and Windows 10/11 clients) lets a low-privileged local user gain SYSTEM-level rights by abusing an improper access control (CWE-284) weakness. The flaw was reported by Microsoft with a patch available, and CVSS 3.1 rates it 7.8 (High) with local vector and low privileges required. No public exploit identified at time of analysis and it is not listed in CISA KEV, so this is a patch-worthy but not emergency issue absent evidence of active exploitation.

Authentication Bypass Microsoft Windows 10 Version 1607 +17
NVD
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local code execution in the Microsoft Windows NTFS file-system driver lets an attacker run arbitrary code by inducing a victim to interact with a specially crafted NTFS artifact (e.g., a malicious volume, VHD, or file). The flaw stems from an integer underflow (CWE-191) and spans a broad range of Windows client and server builds from Windows Server 2012 through Windows Server 2025 and Windows 10/11. Microsoft has released a patch; there is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Authentication Bypass Microsoft Integer Overflow +18
NVD
EPSS 0% CVSS 7.8
HIGH PATCH Exploit Unlikely This Week

Security feature bypass in Windows Secure Boot (CWE-358) allows a locally authenticated attacker on affected Windows 10, Windows 11, and Windows Server (2016 through 2025) systems to defeat the boot-integrity trust chain due to an improperly implemented standard security check. Because Secure Boot is the gate that blocks unsigned/tampered bootloaders and rootkits, a successful bypass can enable pre-OS persistence and undermine downstream protections such as BitLocker and Measured Boot. There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV; Microsoft has published a patch via its update guide.

Authentication Bypass Microsoft Windows 10 Version 1607 +13
NVD
EPSS 1% CVSS 7.5
HIGH PATCH Exploit Unlikely This Week

Information disclosure (and vendor-labeled privilege elevation) in the Windows DHCP Client affects Windows 10 (1607/1809), Windows Server 2012 through 2025, and their Server Core installations via an integer underflow (CWE-191) reachable over the network. A remote attacker positioned to answer DHCP traffic can craft malformed responses that wrap a length/counter calculation, with a CVSS 3.1 base of 7.5 (confidentiality impact only per the published vector). No public exploit is identified at time of analysis and it is not listed in CISA KEV, but Microsoft ships a patch.

Authentication Bypass Microsoft Integer Overflow +13
NVD
EPSS 0% CVSS 8.8
HIGH PATCH Exploit Unlikely This Week

Privilege escalation in Microsoft's Azure Monitor Agent (specifically the Metrics Extension) lets an unauthenticated attacker on an adjacent network gain elevated privileges by exploiting improper TLS certificate validation (CWE-295). Because the agent fails to properly verify the certificate of the endpoint it communicates with, an attacker positioned on the same broadcast/logical network segment can impersonate a trusted server and hijack the agent's privileged context, yielding high confidentiality, integrity, and availability impact. Microsoft rates it CVSS 8.8; there is currently no public exploit identified at time of analysis and it is not listed in CISA KEV.

Authentication Bypass Microsoft Azure Monitor Agent Metrics Extension
NVD
EPSS 1% CVSS 7.5
HIGH PATCH Exploit Unlikely This Week

Denial of service in the Windows Local Security Authority Subsystem Service (LSASS) allows a remote, unauthenticated attacker to crash the service and disrupt authentication across all supported Windows client and server releases from Windows 10 1607 through Windows 11 26H1 and Windows Server 2012 through Server 2025. The flaw stems from an excessive-size memory allocation (CWE-789) triggerable over the network with no privileges or user interaction, and while a vendor patch is available, there is no public exploit identified at time of analysis and it is not listed in CISA KEV. Impact is limited to availability (A:H) with no confidentiality or integrity loss, but LSASS failure can force system instability or reboots, affecting domain authentication and logon.

Authentication Bypass Microsoft Windows 10 Version 1607 +18
NVD
EPSS 1% CVSS 5.3
MEDIUM PATCH Exploit Unlikely This Month

Windows Cryptographic Services across a broad range of Windows 10, Windows 11, and Windows Server versions fails to release allocated memory after its effective lifetime (CWE-401), enabling a remote unauthenticated attacker to cause a denial-of-service condition over the network. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms exploitation requires no authentication, no user interaction, and no elevated privileges against default configurations. Microsoft has released a patch via MSRC advisory CVE-2026-44806; no public exploit or CISA KEV listing has been identified at time of analysis.

Authentication Bypass Microsoft Windows 10 Version 1607 +17
NVD
EPSS 0% CVSS 7.8
HIGH PATCH Exploit Likely This Week

Local privilege-to-code-execution in Microsoft Windows Admin Center lets an already-authenticated, lower-privileged user abuse an improper authorization check (CWE-285) to run arbitrary code on the host where the management tool is installed. Rated CVSS 7.8 with high confidentiality, integrity, and availability impact, it requires local access and existing low-level privileges rather than remote unauthenticated reach. No public exploit identified at time of analysis, and it is not listed in CISA KEV, but Microsoft has released a fix via the MSRC update guide.

Authentication Bypass Microsoft Windows Admin Center
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH Exploit Unlikely This Month

Missing authorization in Azure CycleCloud allows an authorized attacker to elevate privileges over a network.

Authentication Bypass Microsoft Azure Cyclecloud 8 9 1
NVD
EPSS 0% CVSS 7.8
HIGH PATCH Exploit Unlikely This Week

Local privilege escalation in Microsoft Windows Remote Help allows an authenticated low-privileged user to elevate to higher privileges via improper access control (authorization bypass) in the Remote Help component. Exploitation requires prior local access with limited privileges (PR:L) but no user interaction, yielding full confidentiality, integrity, and availability impact. No public exploit identified at time of analysis and the CVE is not listed in CISA KEV, though Microsoft has released a patch.

Authentication Bypass Microsoft Windows Remote Help
NVD
EPSS 1% CVSS 8.8
HIGH PATCH This Week

Privilege escalation in Microsoft Azure CycleCloud 8.9.1 allows an authorized (low-privileged) attacker to gain elevated privileges over the network by reaching a critical function that lacks an authentication check (CWE-306). Reported by Microsoft with a patch available and rated CVSS 8.8; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. The flaw enables full compromise of the CycleCloud instance's confidentiality, integrity, and availability, making it a high-priority patch for HPC-orchestration environments.

Authentication Bypass Microsoft Azure Cyclecloud 8 9 1
NVD
EPSS 0% CVSS 7.8
HIGH PATCH Exploit Unlikely This Week

Local privilege escalation in Microsoft Windows Admin Center allows an already-authenticated, low-privileged attacker to elevate to higher privileges by abusing an improper authentication weakness (CWE-287). Any host running the management tool is affected, and successful exploitation yields full confidentiality, integrity, and availability impact on the local system. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but Microsoft has released a fix.

Authentication Bypass Microsoft Windows Admin Center
NVD
EPSS 0% CVSS 6.4
MEDIUM PATCH Exploit Unlikely This Month

Untrusted search path in Microsoft XML allows an unauthorized attacker to bypass a security feature with a physical attack.

Authentication Bypass Microsoft Windows 10 Version 1607 +17
NVD
EPSS 1% CVSS 6.5
MEDIUM PATCH Exploit Unlikely This Month

Improper authentication in Windows Admin Center allows an authorized attacker to disclose information over a network.

Authentication Bypass Microsoft Windows Admin Center
NVD
EPSS 0% CVSS 8.1
HIGH PATCH Exploit Unlikely This Week

Privilege elevation in Microsoft Windows Admin Center allows an already-authenticated (low-privileged) network attacker to bypass improper authentication controls and gain higher privileges, exposing high-value confidentiality and integrity impact. Rated CVSS 8.1 with low attack complexity and no user interaction, the flaw is remotely reachable but requires an existing authorized session. No public exploit identified at time of analysis; Microsoft has released a fix via the MSRC update guide.

Authentication Bypass Microsoft Windows Admin Center
NVD
EPSS 7% 6.6 CVSS 9.8
CRITICAL POC KEV PATCH THREAT Exploited Act Now

Privilege elevation in Microsoft SharePoint Server (Enterprise Server 2016, Server 2019, and Subscription Edition) lets an unauthenticated network attacker reach a security-critical function that lacks any authentication check (CWE-306), gaining elevated privileges on the target farm. The flaw is confirmed actively exploited (CISA KEV) with publicly available exploit code, and its CVSS 3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N) reflects fully remote, unauthenticated exploitation with high confidentiality, integrity, and availability impact. Microsoft has released a patch via MSRC.

Authentication Bypass Microsoft Microsoft Sharepoint Enterprise Server 2016 +2
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH Exploit Unlikely This Week

Local code execution in Microsoft Defender's Malware Protection Engine (mpengine) arises from an integer underflow (CWE-191) that a local attacker can trigger with no prior authentication but requiring user interaction, yielding high confidentiality, integrity, and availability impact. Because Defender's scanning engine runs with SYSTEM-level privileges, successful exploitation would grant full compromise of the host. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV; Microsoft has released a fix.

Authentication Bypass Microsoft Integer Overflow +1
NVD
EPSS 0% CVSS 8.2
HIGH PATCH Exploit Unlikely This Week

Privilege elevation in Microsoft Azure Spring Apps allows an already-authenticated, low-privileged network attacker to gain higher privileges by abusing an improper authentication weakness (CWE-287) in the managed platform. Because the CVSS scope is marked as changed (S:C), a successful attack can reach resources beyond the attacker's originally authorized boundary, yielding high confidentiality and integrity impact. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV; Microsoft has published an advisory and a patch is available server-side.

Java Authentication Bypass Microsoft +1
NVD
EPSS 0% CVSS 8.8
HIGH PATCH Exploit Unlikely This Week

Remote code execution in the Microsoft Windows TCP/IP networking stack allows an unauthenticated attacker on the same physical or logical network segment to win a race condition and run arbitrary code on the target. The flaw spans a broad range of desktop and server builds from Windows 10 1607 through Windows 11 26H1 and Windows Server 2012 through Server 2025. There is no public exploit identified at time of analysis, but Microsoft has confirmed the issue and shipped a patch, and the high CVSS (8.8) plus network-facing kernel component make it a priority to remediate.

Authentication Bypass Microsoft Race Condition +18
NVD
EPSS 0% CVSS 8.8
HIGH PATCH Exploit Unlikely This Week

Remote code execution in the Windows Reliable Multicast Transport Driver (RMCAST) lets an unauthenticated attacker on the same network segment run arbitrary code by triggering an integer underflow (CWE-191) during multicast message processing. All supported Windows client and server builds from Windows Server 2012 through Windows Server 2025 and Windows 10 1607 through Windows 11 26H1 are affected. There is no public exploit identified at time of analysis, but the CVSS 8.8 adjacent-network unauthenticated profile and Microsoft's own reporting make this a high-priority patch.

Authentication Bypass Integer Overflow Windows 10 Version 1607 +17
NVD
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Missing authentication for critical function in Microsoft Windows DNS allows an authorized attacker to perform tampering locally.

Authentication Bypass Microsoft Windows 10 Version 1809 +10
NVD
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Privilege elevation in the Windows App Store component affects a broad range of Microsoft Windows client and server releases (Windows 10 1607 through Windows 11 26H1, and Windows Server 2016 through 2025), where a race condition (CWE-362) lets an unauthorized attacker win a timing window to gain elevated privileges over a network. The CVSS 3.1 score is 8.1 with a network vector and no authentication (PR:N), but high attack complexity (AC:H) reflects the difficulty of reliably winning the race. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; a vendor patch is available from Microsoft.

Authentication Bypass Microsoft Race Condition +14
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Deserialization logic in FasterXML jackson-databind 2.15.0 through 2.18.7, 2.21.3, and 3.1.3 allows unauthenticated remote callers to bypass @JsonIgnore annotations on Java Record types when a PropertyNamingStrategy is configured. The renamed JSON key - e.g., 'internal_role' produced by SnakeCaseStrategy from 'internalRole' - is not registered in the ignore list, so Jackson's constructor-parameter binding accepts the attacker-supplied value despite the developer's explicit exclusion directive. No public exploit tooling has been identified at time of analysis, but the upstream fix PR includes a runnable proof-of-concept test that fully demonstrates the bypass, lowering the bar for independent reproduction.

Authentication Bypass Java Jackson Databind
NVD GitHub
EPSS 0% CVSS 6.4
MEDIUM PATCH This Month

Username spoofing via session data in Roundcube Webmail's password plugin allows an authenticated attacker to manipulate session state so that the plugin operates on a victim's account rather than the attacker's own, enabling password changes on the target account and full account takeover. All 1.6.x versions prior to 1.6.17 and all 1.7.x versions prior to 1.7.2 are affected when the password plugin is enabled. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the high integrity and confidentiality impact ratings reflect genuine account hijacking potential in shared hosting environments.

Authentication Bypass Webmail
NVD GitHub VulDB
EPSS 0% CVSS 8.2
HIGH PATCH This Week

Authorization bypass in Sonatype Nexus Repository 3's component upload API lets an account holding only read/browse privileges on a Swift, Terraform, or Conda hosted repository push arbitrary artifacts, defeating the intended write-permission check (CWE-862). The flaw affects the specific upload paths for these three formats and enables unauthorized artifact publishing that can poison downstream builds. No public exploit identified at time of analysis; Sonatype has shipped a fix in release 3.94.0.

Hashicorp Authentication Bypass Nexus Repository 3
NVD
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Stored cross-site scripting in Hi.Events through v1.10.0-beta allows authenticated event organizers to inject arbitrary JavaScript into public event pages by embedding the raw </script> sequence in an event title, which the application's JSON.stringify() serialization fails to encode safely when placed in inline script contexts. The payload executes in the browser of every visitor to the affected event page - including unauthenticated attendees and authenticated administrators - enabling session hijacking and privilege escalation from a low-privileged creator account. No public exploit has been identified at time of analysis; a vendor-released patch is available in v1.11.0-beta.

Authentication Bypass XSS Hi Events
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Hidden ticket purchase bypass in Hi.Events through v1.10.0-beta allows unauthenticated remote attackers to acquire VIP, invite-only, or discounted tickets withheld from public sale by referencing hidden ticket and price IDs directly in order creation API requests. The server fails to enforce ticket visibility rules at the API layer, relying only on UI-level concealment, and sequential integer ticket IDs allow systematic enumeration from observed visible IDs. No public exploit or active exploitation (KEV) has been identified at time of analysis, but the unauthenticated network vector and low complexity make opportunistic exploitation straightforward following disclosure.

Authentication Bypass Hi Events
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Improper API key generation in Sonatype Nexus Repository Manager lets a remote attacker impersonate a targeted user and perform repository operations on their behalf. The flaw stems from insufficient entropy (CWE-331) in format-specific API key realms, so an attacker who can predict or reconstruct a victim's key gains their access without credentials. The vendor (Sonatype) reported and patched the issue in release 3.93.0; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Docker Authentication Bypass Node.js +1
NVD
EPSS 0% CVSS 3.1
LOW PATCH Monitor

OAuth provider rebinding in Easy!Appointments prior to version 1.6.0 allows any authenticated backend user - including low-privilege secretary and provider roles - to silently hijack a peer provider's Google Calendar integration by supplying an arbitrary provider_id to the OAuth initiation endpoint. The attacker completes a legitimate Google OAuth flow with their own Google account, which the application then binds to the victim provider's database row without verifying ownership. From that point forward, every appointment on the victim's schedule syncs to the attacker's Google Calendar, leaking customer names and email addresses as attendee data. No public exploit has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

Google Authentication Bypass PHP +1
NVD GitHub
EPSS 0% CVSS 3.3
LOW PATCH Monitor

Horizontal privilege escalation in Easy!Appointments prior to 1.6.0 permits any authenticated provider to inject appointments into a peer provider's calendar or reassign existing appointments across provider boundaries by supplying an arbitrary `id_users_provider` value to the `store` and `update` API endpoints. The asymmetry is stark: the `search` endpoint correctly enforces provider-scoped filtering, confirming the isolation boundary was intentionally designed - making this an incomplete implementation rather than a missing feature. An additional write-before-crash defect on the `store` path means the unauthorized database row is silently persisted even when the attacker receives an HTTP error response. No active exploitation is confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis.

Authentication Bypass Easyappointments
NVD GitHub
EPSS 0% CVSS 8.2
HIGH This Week

Certificate revocation bypass in Rockwell Automation ControlLogix 5580, CompactLogix 5380, GuardLogix 5580, Compact GuardLogix 5380, and 1756-EN4TR (EN4) communication modules allows a network-based attacker to establish a CIP Security connection using a certificate whose issuing intermediate CA has been revoked. Because the controller does not honor the Certificate Revocation List (CRL) for a revoked intermediate, an attacker holding such a certificate can present it as trusted and bypass CIP Security authentication. No public exploit identified at time of analysis; the vendor rates it CVSS 4.0 8.2 (High).

Authentication Bypass Controllogix 5580 Compactlogix 5380 Guardlogix 5580 Compact Guardlogix 5380 1756 En4Tr
NVD
EPSS 0% CVSS 7.3
HIGH This Week

Local authenticated code execution in Rockwell Automation Studio 5000 Logix Designer allows any low-privileged authenticated user to tamper with the incorrectly-protected external-tools configuration file (CWE-863) and redirect a configured tool path to a malicious executable. Because the payload runs when a different user later invokes the external tools feature, this is effectively a privilege-crossing RCE against the engineering workstation. There is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV; exploitation is gated by high attack complexity, a specific attack requirement, and required victim interaction (CVSS 4.0 base 7.3).

Authentication Bypass RCE Studio 5000 Logix Designer
NVD
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Authentication bypass by spoofing in the Elixir ueberauth_apple strategy (0.1.0 through 0.6.1) allows full account takeover because the callback id_token's signature is checked against Apple's JWKS but its registered claims are never validated. Remote unauthenticated attackers who obtain any Apple-signed token carrying the victim's sub - an expired token or one issued to a sibling client in the same Apple developer team - can replay it to log in as the victim. No public exploit identified at time of analysis, but the vendor-confirmed fix (0.6.2) and a clear replay path make this a high-priority auth flaw; EPSS and KEV data were not provided.

Apple Authentication Bypass Ueberauth Apple
NVD GitHub
EPSS 0% CVSS 8.8
HIGH This Week

Authentication bypass in Rockwell Automation FactoryTalk Services Platform (FTSP) lets an authenticated low-privilege user forge JWT tokens during Okta Web Authentication because the application fails to enforce the RSA signing algorithm, permitting the classic 'alg:none' attack. A successful attacker can impersonate any authorized user, reaching system configuration and granting permissions to other systems that FTSP protects. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the alg:none technique is well documented and trivially reproducible once access is obtained.

Authentication Bypass Factorytalk Services Platform
NVD
EPSS 0% CVSS 10.0
CRITICAL Act Now

Unauthenticated remote command execution on Rockwell Automation's 1715-AENTR EtherNet/IP Adapter arises from a network-accessible debug port that enforces no privilege controls, exposing intrusive CLI commands to any attacker who can reach the device. An unauthenticated remote actor can read and delete files, halt tasks, modify memory, and manipulate physical I/O states, giving full control over device confidentiality, integrity, and availability. Rated CVSS 4.0 10.0 (Critical) with subsequent-system impact; no public exploit has been identified at time of analysis.

Authentication Bypass
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Insecure Direct Object Reference in the Academy LMS WordPress plugin (all versions through 3.8.0) allows authenticated attackers with Subscriber-level access to read, overwrite, or delete the private lesson notes of any user - including administrators - and to falsify lesson-completion records for arbitrary accounts. Three AJAX handlers (save_lesson_note, get_lesson_note, complete_lesson_video) perform no ownership validation on a user-controlled key, making cross-user data manipulation trivially achievable by any registered site user. No public exploit identified at time of analysis, but the attack surface is fully described via Wordfence's public threat-intelligence entry and source-level code references.

Authentication Bypass WordPress Academy Lms
NVD
EPSS 0% CVSS 10.0
CRITICAL PATCH Act Now

Authentication bypass in JetBrains YouTrack allows attackers to obtain full administrative access by leveraging a direct-database-access code path, per CWE-306 (missing authentication for a critical function). All self-hosted YouTrack builds prior to the 2026.1.13757 / 2025.3.148033 / 2025.2.148048 / 2025.1.148120 / 2024.3.148430 / 2024.2.148429 fix trains are affected, and JetBrains rates it CVSS 10.0. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the maximal severity score and administrative impact make prompt patching essential.

Authentication Bypass Youtrack
NVD
EPSS 0% CVSS 8.7
HIGH This Week

Broken object-level authorization in the Sesame Time web application and its REST v3 API lets remote attackers hijack another user's session by presenting a valid session identifier (USID), because the platform treats the USID as a bearer credential and never verifies that it belongs to the requester. Any attacker who obtains a valid USID can read a victim's confidential data - emails, user IDs, roles and corporate information - and the weakness is compounded by session sprawl, since new logins mint additional USIDs without invalidating prior ones. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Authentication Bypass Sesame Time
NVD
Prev Page 2 of 346 Next

Quick Facts

Typical Severity
CRITICAL
Category
auth
Total CVEs
31133

MITRE ATT&CK

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy