CVE-2025-0456

Critical

Published: 16 January 2025

Published

16 January 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0115 78.6th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

The airPASS from NetVision Information has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to access the specific administrative functionality to retrieve * all accounts and passwords.

Security Summary

CVE-2025-0456 is a Missing Authentication vulnerability (CWE-306) affecting the airPASS product from NetVision Information. Published on 2025-01-16, it enables unauthenticated remote attackers to access specific administrative functionality and retrieve all accounts and passwords. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), classifying it as Critical due to its severe impacts on confidentiality, integrity, and availability.

Unauthenticated remote attackers with network access can exploit this vulnerability with low complexity and no privileges or user interaction required. Exploitation allows retrieval of all accounts and passwords, potentially leading to full administrative compromise of affected airPASS instances.

Advisories from TWCERT/CC provide further details on this vulnerability, available at https://www.twcert.org.tw/en/cp-139-8360-e97b8-2.html and https://www.twcert.org.tw/tw/cp-132-8359-53aa7-1.html.

Details

CWE(s): CWE-306

References

https://www.twcert.org.tw/en/cp-139-8360-e97b8-2.html
twcert@cert.org.tw
https://www.twcert.org.tw/tw/cp-132-8359-53aa7-1.html
twcert@cert.org.tw