Cyber Posture

CVE-2025-12866

Critical

Published: 10 November 2025

Published
10 November 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0011 28.6th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

EIP Plus developed by Hundred Plus has a Weak Password Recovery Mechanism vulnerability, allowing unauthenticated remote attacker to predict or brute-force the 'forgot password' link, thereby successfully resetting any user's password.

Mitigating Controls (NIST 800-53 r5)AI

IA-5 Authenticator Management good match
prevent

IA-5 requires secure management of authenticators including procedures and strength of mechanism for handling lost or compromised authenticators, directly preventing weak password recovery vulnerable to prediction or brute-force.

SI-2 Flaw Remediation good match
prevent

SI-2 mandates identification, reporting, testing, and correction of system flaws like the weak forgot password mechanism in EIP Plus.

SC-5 Denial-of-service Protection partial match
prevent

SC-5 provides denial-of-service protections such as rate limiting to mitigate brute-force attacks on the unauthenticated forgot password link.

Security SummaryAI

CVE-2025-12866 is a critical vulnerability in EIP Plus, a product developed by Hundred Plus, stemming from a weak password recovery mechanism classified under CWE-640. The flaw enables an unauthenticated remote attacker to predict or brute-force the 'forgot password' link, allowing unauthorized password resets for any user account. Assigned a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), it was published on 2025-11-10.

An unauthenticated attacker with network access can exploit this vulnerability with low complexity and no privileges required. By predicting or brute-forcing the forgot password link, the attacker gains the ability to reset passwords for arbitrary users, potentially leading to full account takeover, high confidentiality/ integrity/availability impacts, and unauthorized access to sensitive data or systems managed via EIP Plus.

Advisories from TWCERT/CC (https://www.twcert.org.tw/en/cp-139-10491-004b0-2.html, https://www.twcert.org.tw/tw/cp-132-10490-2534b-1.html) and CHT Security (https://www.chtsecurity.com/news/20848f61-9db5-44fd-8574-c9d6a54e4010) provide details on the vulnerability; security practitioners should review these for recommended patches, workarounds, or mitigation strategies specific to EIP Plus deployments.

Details

CWE(s)
CWE-640

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1110 Brute Force Credential Access
Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained.
attack.mitre.org →
Why these techniques?

The vulnerability is in a public-facing application (T1190) allowing unauthenticated attackers to brute-force or predict password reset links (T1110), enabling arbitrary account takeovers.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References