CVEs classified under CWE-1390, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (50)
CVE-2025-30412 — CVSS 10.0 (critical): Sensitive data disclosure and manipulation due to improper authentication. The following products are affected: Acronis Cyber Protect 16…
CVE-2025-30411 — CVSS 10.0 (critical): Sensitive data disclosure and manipulation due to improper authentication. The following products are affected: Acronis Cyber Protect 16…
CVE-2026-6886 — CVSS 9.8 (critical): Borg SPM 2007 (Sales Ended in 2008) developed by BorG Technology Corporation has a Authentication Bypass vulnerability, allowing…
CVE-2026-28710 — CVSS 9.8 (critical): Sensitive information disclosure and manipulation due to improper authentication. The following products are affected: Acronis Cyber…
CVE-2025-40554 — CVSS 9.8 (critical): SolarWinds Web Help Desk was found to be susceptible to an authentication bypass vulnerability that, if exploited, could allow an attacker…
CVE-2025-40552 — CVSS 9.8 (critical): SolarWinds Web Help Desk was found to be susceptible to an authentication bypass vulnerability that if exploited, would allow a malicious…
CVE-2023-53894 — CVSS 9.8 (critical): phpfm 1.7.9 contains an authentication bypass vulnerability that allows attackers to log in by exploiting loose type comparison in password…
CVE-2025-12871 — CVSS 9.8 (critical): The a+HRD developed by aEnrich has an Authentication Abuse vulnerability, allowing unauthenticated remote attackers to craft administrator…
CVE-2025-12870 — CVSS 9.8 (critical): The a+HRD developed by aEnrich has an Authentication Abuse vulnerability, allowing unauthenticated remote attackers to send crafted packets…
CVE-2024-54092 — CVSS 9.8 (critical): A vulnerability has been identified in Industrial Edge Device Kit - arm64 V1.17 (All versions), Industrial Edge Device Kit - arm64 V1.18…
CVE-2025-1387 — CVSS 9.8 (critical): Orca HCM from LEARNING DIGITAL has an Improper Authentication vulnerability, allowing unauthenticated remote attackers to log in to the…
CVE-2024-45367 — CVSS 9.1 (critical): The web server for ONS-S8 - Spectra Aggregation Switch includes an incomplete authentication process, which can lead to an attacker…
CVE-2024-39848 — CVSS 9.1 (critical): Internet2 Grouper before 5.6 allows authentication bypass when LDAP authentication is used in certain ways. This is related to…
CVE-2024-34451 — CVSS 9.1 (critical): Ghost through 5.85.1 allows remote attackers to bypass an authentication rate-limit protection mechanism by using many X-Forwarded-For…
CVE-2024-48886 — CVSS 9.0 (critical): A weak authentication in Fortinet FortiOS versions 7.4.0 through 7.4.4, 7.2.0 through 7.2.8, 7.0.0 through 7.0.15, 6.4.0 through 6.4.15…
CVE-2024-38182 — CVSS 9.0 (critical): Weak authentication in Microsoft Dynamics 365 allows an unauthenticated attacker to elevate privileges over a network.
CVE-2025-59249 — CVSS 8.8 (high): Weak authentication in Microsoft Exchange Server allows an authorized attacker to elevate privileges over a network.
CVE-2025-27740 — CVSS 8.8 (high): Weak authentication in Windows Active Directory Certificate Services allows an authorized attacker to elevate privileges over a network.
CVE-2025-23058 — CVSS 8.8 (high): A vulnerability in the ClearPass Policy Manager web-based management interface allows a low-privileged (read-only) authenticated remote…
CVE-2024-36787 — CVSS 8.8 (high): An issue in Netgear WNR614 JNR1010V2 N300-V1.1.0.54_1.0.1 allows attackers to bypass authentication and access the administrative interface…
CVE-2025-5484 — CVSS 8.3 (high): A username and password are required to authenticate to the central SinoTrack device management interface. The username for all devices is…
CVE-2026-4924 — CVSS 8.2 (high): Improper authentication in the two-factor authentication (2FA) feature in Devolutions Server 2026.1.11 and earlier allows a remote attacker…
CVE-2026-4828 — CVSS 8.2 (high): Improper authentication in the OAuth login functionality in Devolutions Server 2026.1.11 and earlier allows a remote attacker with valid…
CVE-2025-29994: This vulnerability exists in the CAP back office application due to improper authentication check at the API endpoint. An unauthenticated…
CVE-2025-1293 — CVSS 8.2 (high): Hermes versions up to 0.4.0 improperly validated the JWT provided when using the AWS ALB authentication mode, potentially allowing for…
CVE-2024-52541 — CVSS 8.2 (high): Dell Client Platform BIOS contains a Weak Authentication vulnerability. A high privileged attacker with local access could potentially…
CVE-2026-0274: An improper validation of credentials vulnerability in the CommvaultSecurityIQ integration for Cortex XSOAR and Cortex XSIAM allows an…
CVE-2026-44237 — CVSS 8.1 (high): FreePBX is an open source IP PBX. Prior to 17.0.8, the FreePBX api module's OAuth2 implementation does not sufficiently validate client…
CVE-2025-49201 — CVSS 8.1 (high): A weak authentication vulnerability in Fortinet FortiPAM 1.5.0, FortiPAM 1.4.0 through 1.4.2, FortiPAM 1.3 all versions, FortiPAM 1.2 all…
CVE-2025-1727 — CVSS 8.1 (high): The protocol used for remote linking over RF for End-of-Train and Head-of-Train (also known as a FRED) relies on a BCH checksum for packet…
CVE-2025-26343 — CVSS 8.1 (high): A CWE-1390 "Weak Authentication" in the PIN authentication mechanism in Q-Free MaxTime less than or equal to version 2.11.0 allows an…
CVE-2026-40417 — CVSS 7.8 (high): Weak authentication in Dynamics Business Central allows an authorized attacker to elevate privileges locally.
CVE-2025-11084: A security issue exists within DataMosaix™ Private Cloud, allowing attackers to bypass MFA during setup and obtain a valid login-token…
CVE-2025-57713 — CVSS 7.5 (high): A weak authentication vulnerability has been reported to affect File Station 5. The remote attackers can then exploit the vulnerability to…
CVE-2024-47397 — CVSS 7.5 (high): Weak authentication issue exists in AE1021 firmware versions 2.0.10 and earlier and AE1021PE firmware versions 2.0.10 and earlier. If this…
CVE-2025-70994 — CVSS 7.3 (high): Yadea T5 Electric Bicycles (models manufactured in/after 2024) have a weak authentication mechanism in their keyless entry system. The…
CVE-2024-50563 — CVSS 7.3 (high): A weak authentication in Fortinet FortiManager Cloud, FortiAnalyzer versions 7.6.0 through 7.6.1, 7.4.1 through 7.4.3, FortiAnalyzer Cloud…
CVE-2025-7326 — CVSS 7.0 (high): Weak authentication in EOL ASP.NET Core allows an unauthorized attacker to elevate privileges over a network. NOTE: This CVE affects only…
CVE-2025-24070 — CVSS 7.0 (high): Weak authentication in ASP.NET Core & Visual Studio allows an unauthorized attacker to elevate privileges over a network.
CVE-2025-30468 — CVSS 6.5 (medium): This issue was addressed through improved state management. This issue is fixed in iOS 26 and iPadOS 26. Private Browsing tabs may be…
CVE-2025-47995 — CVSS 6.5 (medium): Weak authentication in Azure Machine Learning allows an authorized attacker to elevate privileges over a network.
CVE-2025-32885 — CVSS 6.5 (medium): An issue was discovered on goTenna v1 devices with app 5.5.3 and firmware 0.25.5. The app there makes it possible to inject any custom…
CVE-2025-26635 — CVSS 6.5 (medium): Weak authentication in Windows Hello allows an authorized attacker to bypass a security feature over a network.
CVE-2025-21552 — CVSS 6.5 (medium): Vulnerability in the JD Edwards EnterpriseOne Orchestrator product of Oracle JD Edwards (component: E1 IOT Orchestrator Security)…