CWE-294
AllowedAuthentication Bypass by Capture-replay
Abstraction: Base · Status: Incomplete
A capture-replay flaw exists when the design of the product makes it possible for a malicious user to sniff network traffic and bypass authentication by replaying it to the server in question to the same effect as the original message (or with minor changes).
342 vulnerabilities reference this CWE, most recent first.
GHSA-C7JM-38GQ-H67H
Vulnerability from github – Published: 2026-06-19 21:16 – Updated: 2026-06-19 21:16Impact
ServerFilters.DigestAuth and the underlying DigestAuthProvider both defaulted their nonceVerifier parameter to { true } — i.e. every nonce was accepted regardless of value, age, or prior use. Any deployment using the default configuration had no replay protection on Digest authentication; a captured Authorization: Digest … response could be replayed indefinitely against the same protected resource.
The nonce-verification mechanism in Digest auth is the primary anti-replay control — without it, Digest reduces to a credential bound only to a stale nonce string.
Who is affected: any application using ServerFilters.DigestAuth or DigestAuthProvider with the default nonceVerifier. The broken default has been present since DigestAuthProvider was introduced (2021). Exploitation requires the attacker to first capture a valid Digest response (network observation, log access, etc.) — non-trivial in modern TLS deployments but not impossible. Anyone running Digest auth with default config should treat upgrade as urgent.
Patches
| Line | Fixed in | Edition |
|---|---|---|
| v6.x (Community) | 6.48.0.0 | Community |
| v5.x (LTS) | 5.42.0.0 | Enterprise — contact enterprise@http4k.org (if Digest auth is present in your v5.x line) |
| v4.x (LTS) | 4.51.0.0 | Enterprise — contact enterprise@http4k.org (if Digest auth is present in your v4.x line) |
The fix ([Break]) removes the default value for nonceVerifier from both ServerFilters.DigestAuth and DigestAuthProvider. Callers must now supply a real verifier explicitly — the broken default cannot be silently inherited.
Workarounds
For deployments that cannot upgrade immediately: explicitly supply a nonceVerifier that tracks issued nonces, enforces a TTL, and rejects re-use. Do not rely on the default.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.http4k:http4k-security-digest"
},
"ranges": [
{
"events": [
{
"introduced": "6.0.0.0"
},
{
"fixed": "6.48.0.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.http4k:http4k-security-digest"
},
"ranges": [
{
"events": [
{
"introduced": "5.0.0.0"
},
{
"fixed": "5.42.0.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.http4k:http4k-security-digest"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.51.0.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-294"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-19T21:16:09Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Impact\n\n`ServerFilters.DigestAuth` and the underlying `DigestAuthProvider` both defaulted their `nonceVerifier` parameter to `{ true }` \u2014 i.e. every nonce was accepted regardless of value, age, or prior use. Any deployment using the default configuration had **no replay protection** on Digest authentication; a captured `Authorization: Digest \u2026` response could be replayed indefinitely against the same protected resource.\n\nThe nonce-verification mechanism in Digest auth is the primary anti-replay control \u2014 without it, Digest reduces to a credential bound only to a stale nonce string.\n\n**Who is affected:** any application using `ServerFilters.DigestAuth` or `DigestAuthProvider` with the default `nonceVerifier`. The broken default has been present since `DigestAuthProvider` was introduced (2021). Exploitation requires the attacker to first capture a valid Digest response (network observation, log access, etc.) \u2014 non-trivial in modern TLS deployments but not impossible. Anyone running Digest auth with default config should treat upgrade as urgent.\n\n### Patches\n\n| Line | Fixed in | Edition |\n|------|----------|---------|\n| v6.x (Community) | **6.48.0.0** | Community |\n| v5.x (LTS) | **5.42.0.0** | Enterprise \u2014 contact [enterprise@http4k.org](mailto:enterprise@http4k.org) (if Digest auth is present in your v5.x line) |\n| v4.x (LTS) | **4.51.0.0** | Enterprise \u2014 contact [enterprise@http4k.org](mailto:enterprise@http4k.org) (if Digest auth is present in your v4.x line) |\n\nThe fix (`[Break]`) removes the default value for `nonceVerifier` from both `ServerFilters.DigestAuth` and `DigestAuthProvider`. Callers must now supply a real verifier explicitly \u2014 the broken default cannot be silently inherited.\n\n### Workarounds\n\nFor deployments that cannot upgrade immediately: explicitly supply a `nonceVerifier` that tracks issued nonces, enforces a TTL, and rejects re-use. Do not rely on the default.",
"id": "GHSA-c7jm-38gq-h67h",
"modified": "2026-06-19T21:16:09Z",
"published": "2026-06-19T21:16:09Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/http4k/http4k/security/advisories/GHSA-c7jm-38gq-h67h"
},
{
"type": "WEB",
"url": "https://github.com/http4k/http4k/commit/4f904b4692"
},
{
"type": "WEB",
"url": "https://github.com/http4k/http4k/commit/8a52b615b1"
},
{
"type": "WEB",
"url": "https://datatracker.ietf.org/doc/html/rfc7616#section-3.4"
},
{
"type": "PACKAGE",
"url": "https://github.com/http4k/http4k"
},
{
"type": "WEB",
"url": "https://github.com/http4k/http4k/releases/tag/6.48.0.0"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "http4k: `ServerFilters.DigestAuth` / `DigestAuthProvider` defaulted to an always-true nonce verifier, disabling replay protection in default deployments"
}
GHSA-C7W2-F8M6-PXP8
Vulnerability from github – Published: 2023-07-06 19:24 – Updated: 2024-04-04 05:32A CWE-294: Authentication Bypass by Capture-replay vulnerability exists that could cause execution of unauthorized Modbus functions on the controller when hijacking an authenticated Modbus session. Affected Products: EcoStruxure™ Control Expert (All Versions), EcoStruxure™ Process Expert (Version V2020 & prior), Modicon M340 CPU (part numbers BMXP34) (All Versions), Modicon M580 CPU (part numbers BMEP and BMEH) (All Versions), Modicon M580 CPU Safety (part numbers BMEP58S and BMEH58*S) (All Versions)
{
"affected": [],
"aliases": [
"CVE-2022-45789"
],
"database_specific": {
"cwe_ids": [
"CWE-294"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-01-31T06:15:00Z",
"severity": "CRITICAL"
},
"details": "A CWE-294: Authentication Bypass by Capture-replay vulnerability exists that could cause execution of unauthorized Modbus functions on the controller when hijacking an authenticated Modbus session. Affected Products: EcoStruxure\u2122 Control Expert (All Versions), EcoStruxure\u2122 Process Expert (Version V2020 \u0026 prior), Modicon M340 CPU (part numbers BMXP34*) (All Versions), Modicon M580 CPU (part numbers BMEP* and BMEH*) (All Versions), Modicon M580 CPU Safety (part numbers BMEP58*S and BMEH58*S) (All Versions)",
"id": "GHSA-c7w2-f8m6-pxp8",
"modified": "2024-04-04T05:32:02Z",
"published": "2023-07-06T19:24:08Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45789"
},
{
"type": "WEB",
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2023-010-06\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2023-010-06_Modicon_Controllers_Security_Notification.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-C8J5-2W73-CW74
Vulnerability from github – Published: 2026-07-09 18:31 – Updated: 2026-07-10 18:32MERCURY MIPC252W IP camera v1.0.5 Build 230306 Rel.79931n does not implement nonce expiration in RTSP Digest authentication. An adjacent network attacker can capture a legitimate authentication exchange and replay the nonce and response values in a new connection to bypass authentication without knowledge of the device credentials, gaining unauthorized access to the live video stream.
{
"affected": [],
"aliases": [
"CVE-2026-51597"
],
"database_specific": {
"cwe_ids": [
"CWE-294"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-09T17:16:59Z",
"severity": "CRITICAL"
},
"details": "MERCURY MIPC252W IP camera v1.0.5 Build 230306 Rel.79931n does not implement nonce expiration in RTSP Digest authentication. An adjacent network attacker can capture a legitimate authentication exchange and replay the nonce and response values in a new connection to bypass authentication without knowledge of the device credentials, gaining unauthorized access to the live video stream.",
"id": "GHSA-c8j5-2w73-cw74",
"modified": "2026-07-10T18:32:08Z",
"published": "2026-07-09T18:31:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-51597"
},
{
"type": "WEB",
"url": "https://github.com/kkkk2222874/cve_ID_report/blob/main/MERCURY_MIPC252W/MERCURY_MIPC252W_5th/README.md"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-CG6C-Q2HX-69H7
Vulnerability from github – Published: 2026-03-26 18:56 – Updated: 2026-04-10 20:18Summary
Before v2026.3.23, the Plivo V2 verification path treated query-only variants of the same signed request as fresh verified work. Plivo V2 signatures authenticate baseUrl + nonce, but the replay key was derived from the full verification URL including the query string, so unsigned query-only changes minted a new verifiedRequestKey.
Affected Packages / Versions
- Package:
openclaw(npm) - Affected:
< 2026.3.23 - Fixed:
>= 2026.3.23 - Latest released tag checked:
v2026.3.23-2(630f1479c44f78484dfa21bb407cbe6f171dac87) - Latest published npm version checked:
2026.3.23-2
Root Cause
The vulnerable logic lived in extensions/voice-call/src/webhook-security.ts. V2 signature validation already canonicalized to the base URL without query parameters, but the replay key used the full verificationUrl, letting query-only variants bypass replay identity stability.
Fix Commit(s)
b0ce53a79cf63834660270513e26d921899b4e5b—fix(voice-call): stabilize plivo v2 replay keys
Release Status
The fix commit is contained in released tags v2026.3.23 and v2026.3.23-2. The latest shipped tag and npm release both include the fix.
Code-Level Confirmation
extensions/voice-call/src/webhook-security.tsnow derives the V2 replay key withcreatePlivoV2ReplayKey(...), which hashesgetBaseUrlNoQuery(url)plus the nonce.extensions/voice-call/src/webhook-security.test.tscontains the regression testtreats query-only V2 variants as the same verified request.
Thanks @smaeljaish771 for reporting.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "openclaw"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2026.3.23"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-35618"
],
"database_specific": {
"cwe_ids": [
"CWE-294"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-26T18:56:32Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "## Summary\nBefore `v2026.3.23`, the Plivo V2 verification path treated query-only variants of the same signed request as fresh verified work. Plivo V2 signatures authenticate `baseUrl + nonce`, but the replay key was derived from the full verification URL including the query string, so unsigned query-only changes minted a new `verifiedRequestKey`.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Affected: `\u003c 2026.3.23`\n- Fixed: `\u003e= 2026.3.23`\n- Latest released tag checked: `v2026.3.23-2` (`630f1479c44f78484dfa21bb407cbe6f171dac87`)\n- Latest published npm version checked: `2026.3.23-2`\n\n## Root Cause\nThe vulnerable logic lived in `extensions/voice-call/src/webhook-security.ts`. V2 signature validation already canonicalized to the base URL without query parameters, but the replay key used the full `verificationUrl`, letting query-only variants bypass replay identity stability.\n\n## Fix Commit(s)\n- `b0ce53a79cf63834660270513e26d921899b4e5b` \u2014 `fix(voice-call): stabilize plivo v2 replay keys`\n\n## Release Status\nThe fix commit is contained in released tags `v2026.3.23` and `v2026.3.23-2`. The latest shipped tag and npm release both include the fix.\n\n## Code-Level Confirmation\n- `extensions/voice-call/src/webhook-security.ts` now derives the V2 replay key with `createPlivoV2ReplayKey(...)`, which hashes `getBaseUrlNoQuery(url)` plus the nonce.\n- `extensions/voice-call/src/webhook-security.test.ts` contains the regression test `treats query-only V2 variants as the same verified request`.\n\nThanks @smaeljaish771 for reporting.",
"id": "GHSA-cg6c-q2hx-69h7",
"modified": "2026-04-10T20:18:52Z",
"published": "2026-03-26T18:56:32Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-cg6c-q2hx-69h7"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35618"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/b0ce53a79cf63834660270513e26d921899b4e5b"
},
{
"type": "PACKAGE",
"url": "https://github.com/openclaw/openclaw"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/openclaw-replay-identity-drift-via-query-only-variants-in-plivo-v2-verification"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "OpenClaw: Plivo V2 verified replay identity drifts on query-only variants"
}
GHSA-CG99-P6R9-C75P
Vulnerability from github – Published: 2023-06-13 18:30 – Updated: 2024-04-04 04:46GL.iNET GL-AR750S-Ext firmware v3.215 inserts the admin authentication token into a GET request when the OpenVPN Server config file is downloaded. The token is then left in the browser history or access logs, potentially allowing attackers to bypass authentication via session replay.
{
"affected": [],
"aliases": [
"CVE-2023-33621"
],
"database_specific": {
"cwe_ids": [
"CWE-294"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-06-13T16:15:13Z",
"severity": "MODERATE"
},
"details": "GL.iNET GL-AR750S-Ext firmware v3.215 inserts the admin authentication token into a GET request when the OpenVPN Server config file is downloaded. The token is then left in the browser history or access logs, potentially allowing attackers to bypass authentication via session replay.",
"id": "GHSA-cg99-p6r9-c75p",
"modified": "2024-04-04T04:46:46Z",
"published": "2023-06-13T18:30:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-33621"
},
{
"type": "WEB",
"url": "https://justinapplegate.me/2023/glinet-CVE-2023-33621"
},
{
"type": "WEB",
"url": "http://gl-ar750s-ext.com"
},
{
"type": "WEB",
"url": "http://glinet.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-CGPM-V8PX-PMW8
Vulnerability from github – Published: 2026-05-29 09:31 – Updated: 2026-05-29 15:30Weak authentication in the Wireless Control Module (WCM) of the Indian Motorcycle Scout Bobber + Tech 2025 model year allows an adjacent-network attacker with read access to the in-vehicle network to recover the user-set unlock PIN by passively observing a single PIN authentication exchange. The Infotainment Digital Round display computes its response using a non-cryptographic operation rather than a cryptographic challenge-response, so the PIN is mathematically derivable from one captured exchange, defeating the motorcycle's primary user-authentication control. Specific protocol details have been withheld pending vendor remediation.
{
"affected": [],
"aliases": [
"CVE-2026-49322"
],
"database_specific": {
"cwe_ids": [
"CWE-294"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-29T08:16:19Z",
"severity": "MODERATE"
},
"details": "Weak authentication in the Wireless Control Module (WCM) of the Indian Motorcycle Scout Bobber + Tech 2025 model year allows an adjacent-network attacker with read access to the in-vehicle network to recover the user-set unlock PIN by passively observing a single PIN authentication exchange. The Infotainment Digital Round display computes its response using a non-cryptographic operation rather than a cryptographic challenge-response, so the PIN is mathematically derivable from one captured exchange, defeating the motorcycle\u0027s primary user-authentication control. Specific protocol details have been withheld pending vendor remediation.",
"id": "GHSA-cgpm-v8px-pmw8",
"modified": "2026-05-29T15:30:32Z",
"published": "2026-05-29T09:31:05Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-49322"
},
{
"type": "WEB",
"url": "https://cwe.mitre.org/data/definitions/1390.html"
},
{
"type": "WEB",
"url": "https://www.asrg.io/security-advisories/cve-2026-49322-indian-scout-infotainment-wcm-weak-authentication"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:P/AC:L/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-CQJC-R43P-WJ4P
Vulnerability from github – Published: 2022-03-25 00:00 – Updated: 2022-04-01 00:00The remote keyless system on Honda Civic 2018 vehicles sends the same RF signal for each door-open request, which allows for a replay attack, a related issue to CVE-2019-20626.
{
"affected": [],
"aliases": [
"CVE-2022-27254"
],
"database_specific": {
"cwe_ids": [
"CWE-294"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-03-23T22:15:00Z",
"severity": "MODERATE"
},
"details": "The remote keyless system on Honda Civic 2018 vehicles sends the same RF signal for each door-open request, which allows for a replay attack, a related issue to CVE-2019-20626.",
"id": "GHSA-cqjc-r43p-wj4p",
"modified": "2022-04-01T00:00:56Z",
"published": "2022-03-25T00:00:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-27254"
},
{
"type": "WEB",
"url": "https://drive.google.com/file/d/1MtmWfBs1r6Y3JN1HpbNsZqO1GcsdgPdc/view?usp=sharing"
},
{
"type": "WEB",
"url": "https://github.com/HackingIntoYourHeart/Unoriginal-Rice-Patty"
},
{
"type": "WEB",
"url": "https://github.com/nonamecoder/CVE-2022-27254"
},
{
"type": "WEB",
"url": "https://news.ycombinator.com/item?id=30804702"
},
{
"type": "WEB",
"url": "https://www.bleepingcomputer.com/news/security/honda-bug-lets-a-hacker-unlock-and-start-your-car-via-replay-attack"
},
{
"type": "WEB",
"url": "https://www.theregister.com/2022/03/25/honda_civic_hack"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-CR6H-4367-M34R
Vulnerability from github – Published: 2025-09-19 00:30 – Updated: 2025-09-19 00:30Cognex In-Sight Explorer and In-Sight Camera Firmware expose
a proprietary protocol on TCP port 1069 to perform management operations such as modifying system properties. The user management functionality handles sensitive data such as registered usernames and passwords over an unencrypted channel, allowing an adjacent attacker to intercept valid credentials to gain access to the device.
{
"affected": [],
"aliases": [
"CVE-2025-54810"
],
"database_specific": {
"cwe_ids": [
"CWE-294"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-18T22:15:46Z",
"severity": "HIGH"
},
"details": "Cognex In-Sight Explorer and In-Sight Camera Firmware expose \n\na proprietary protocol on TCP port 1069 to perform management operations\n such as modifying system properties. The user management functionality \nhandles sensitive data such as registered usernames and passwords over \nan unencrypted channel, allowing an adjacent attacker to intercept valid\n credentials to gain access to the device.",
"id": "GHSA-cr6h-4367-m34r",
"modified": "2025-09-19T00:30:58Z",
"published": "2025-09-19T00:30:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54810"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-261-06"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-CV4Q-4XGP-CR7M
Vulnerability from github – Published: 2022-05-13 01:34 – Updated: 2025-05-22 18:31Medtronic MMT 508 MiniMed insulin pump, 522 / MMT - 722 Paradigm REAL-TIME, 523 / MMT - 723 Paradigm Revel, 523K / MMT - 723K Paradigm Revel, and 551 / MMT - 751 MiniMed 530G The models identified above, when paired with a remote controller and having the "easy bolus" and "remote bolus" options enabled (non-default), are vulnerable to a capture-replay attack. An attacker can capture the wireless transmissions between the remote controller and the pump and replay them to cause an insulin (bolus) delivery.
{
"affected": [],
"aliases": [
"CVE-2018-14781"
],
"database_specific": {
"cwe_ids": [
"CWE-287",
"CWE-294"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-08-13T21:48:00Z",
"severity": "MODERATE"
},
"details": "Medtronic MMT 508 MiniMed insulin pump, 522 / MMT - 722 Paradigm REAL-TIME, 523 / MMT - 723 Paradigm Revel, 523K / MMT - 723K Paradigm Revel, and 551 / MMT - 751 MiniMed 530G The models identified above, when paired with a remote controller and having the \"easy bolus\" and \"remote bolus\" options enabled (non-default), are vulnerable to a capture-replay attack. An attacker can capture the wireless transmissions between the remote controller and the pump and replay them to cause an insulin (bolus) delivery.",
"id": "GHSA-cv4q-4xgp-cr7m",
"modified": "2025-05-22T18:31:09Z",
"published": "2022-05-13T01:34:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14781"
},
{
"type": "WEB",
"url": "https://global.medtronic.com/xg-en/product-security/security-bulletins/minimed.html"
},
{
"type": "WEB",
"url": "https://ics-cert.us-cert.gov/advisories/ICSMA-18-219-02"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/105044"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-CV4X-33M6-3QRQ
Vulnerability from github – Published: 2025-10-09 21:31 – Updated: 2025-10-09 21:31Newforma Info Exchange (NIX) '/RemoteWeb/IntegrationServices.ashx' allows a remote, unauthenticated attacker to cause NIX to make an SMB connection to an attacker-controlled system. The attacker can capture the NTLMv2 hash of the NIX service account.
{
"affected": [],
"aliases": [
"CVE-2025-35057"
],
"database_specific": {
"cwe_ids": [
"CWE-294"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-09T21:15:36Z",
"severity": "MODERATE"
},
"details": "Newforma Info Exchange (NIX) \u0027/RemoteWeb/IntegrationServices.ashx\u0027 allows a remote, unauthenticated attacker to cause NIX to make an SMB connection to an attacker-controlled system. The attacker can capture the NTLMv2 hash of the NIX service account.",
"id": "GHSA-cv4x-33m6-3qrq",
"modified": "2025-10-09T21:31:12Z",
"published": "2025-10-09T21:31:12Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-35057"
},
{
"type": "WEB",
"url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-25-282-01.json"
},
{
"type": "WEB",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-35057"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
Mitigation
Utilize some sequence or time stamping functionality along with a checksum which takes this into account in order to ensure that messages can be parsed only once.
Mitigation
Since any attacker who can listen to traffic can see sequence numbers, it is necessary to sign messages with some kind of cryptography to ensure that sequence numbers are not simply doctored along with content.
CAPEC-102: Session Sidejacking
Session sidejacking takes advantage of an unencrypted communication channel between a victim and target system. The attacker sniffs traffic on a network looking for session tokens in unencrypted traffic. Once a session token is captured, the attacker performs malicious actions by using the stolen token with the targeted application to impersonate the victim. This attack is a specific method of session hijacking, which is exploiting a valid session token to gain unauthorized access to a target system or information. Other methods to perform a session hijacking are session fixation, cross-site scripting, or compromising a user or server machine and stealing the session token.
CAPEC-509: Kerberoasting
Through the exploitation of how service accounts leverage Kerberos authentication with Service Principal Names (SPNs), the adversary obtains and subsequently cracks the hashed credentials of a service account target to exploit its privileges. The Kerberos authentication protocol centers around a ticketing system which is used to request/grant access to services and to then access the requested services. As an authenticated user, the adversary may request Active Directory and obtain a service ticket with portions encrypted via RC4 with the private key of the authenticated account. By extracting the local ticket and saving it disk, the adversary can brute force the hashed value to reveal the target account credentials.
CAPEC-555: Remote Services with Stolen Credentials
This pattern of attack involves an adversary that uses stolen credentials to leverage remote services such as RDP, telnet, SSH, and VNC to log into a system. Once access is gained, any number of malicious activities could be performed.
CAPEC-561: Windows Admin Shares with Stolen Credentials
An adversary guesses or obtains (i.e. steals or purchases) legitimate Windows administrator credentials (e.g. userID/password) to access Windows Admin Shares on a local machine or within a Windows domain.
CAPEC-60: Reusing Session IDs (aka Session Replay)
This attack targets the reuse of valid session ID to spoof the target system in order to gain privileges. The attacker tries to reuse a stolen session ID used previously during a transaction to perform spoofing and session hijacking. Another name for this type of attack is Session Replay.
CAPEC-644: Use of Captured Hashes (Pass The Hash)
An adversary obtains (i.e. steals or purchases) legitimate Windows domain credential hash values to access systems within the domain that leverage the Lan Man (LM) and/or NT Lan Man (NTLM) authentication protocols.
CAPEC-645: Use of Captured Tickets (Pass The Ticket)
An adversary uses stolen Kerberos tickets to access systems/resources that leverage the Kerberos authentication protocol. The Kerberos authentication protocol centers around a ticketing system which is used to request/grant access to services and to then access the requested services. An adversary can obtain any one of these tickets (e.g. Service Ticket, Ticket Granting Ticket, Silver Ticket, or Golden Ticket) to authenticate to a system/resource without needing the account's credentials. Depending on the ticket obtained, the adversary may be able to access a particular resource or generate TGTs for any account within an Active Directory Domain.
CAPEC-652: Use of Known Kerberos Credentials
An adversary obtains (i.e. steals or purchases) legitimate Kerberos credentials (e.g. Kerberos service account userID/password or Kerberos Tickets) with the goal of achieving authenticated access to additional systems, applications, or services within the domain.
CAPEC-701: Browser in the Middle (BiTM)
An adversary exploits the inherent functionalities of a web browser, in order to establish an unnoticed remote desktop connection in the victim's browser to the adversary's system. The adversary must deploy a web client with a remote desktop session that the victim can access.
CAPEC-94: Adversary in the Middle (AiTM)
An adversary targets the communication between two components (typically client and server), in order to alter or obtain data from transactions. A general approach entails the adversary placing themself within the communication channel between the two components.