CVE-2025-26522

This vulnerability exists in RupeeWeb trading platform due to improper implementation of OTP validation mechanism in certain API endpoints. A remote attacker with valid credentials could exploit this vulnerability by manipulating API responses. Successful exploitation of this vulnerability could allow the attacker to bypass Two-Factor Authentication (2FA) for other user accounts.

CVSS

No CVSS.

References

Link	Resource
https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01&VLCODE=CIVN-2025-0020

Configurations

No configuration.

History

15 Apr 2026, 00:35

Type	Values Removed	Values Added
Summary		(es) Esta vulnerabilidad existe en RupeeWeb trading platform debido a la implementación incorrecta del mecanismo de validación OTP en ciertos endpoints de API. Un atacante remoto con credenciales válidas podría aprovechar esta vulnerabilidad manipulando las respuestas de API. La explotación exitosa de esta vulnerabilidad podría permitir al atacante eludir la autenticación de dos factores (2FA) para otras cuentas de usuario.

14 Feb 2025, 12:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-02-14 12:15

Updated : 2026-04-15 00:35

NVD link : CVE-2025-26522

Mitre link : CVE-2025-26522

CVE.ORG link : CVE-2025-26522

JSON object : View

Products Affected

No product.

CWE

CWE-302

Authentication Bypass by Assumed-Immutable Data

{"id": "CVE-2025-26522", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "vdisclose@cert-in.org.in", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 7.5, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-02-14T12:15:29.583", "references": [{"url": "https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01&VLCODE=CIVN-2025-0020", "source": "vdisclose@cert-in.org.in"}], "vulnStatus": "Deferred", "weaknesses": [{"type": "Secondary", "source": "vdisclose@cert-in.org.in", "description": [{"lang": "en", "value": "CWE-302"}]}], "descriptions": [{"lang": "en", "value": "This vulnerability exists in RupeeWeb trading platform due to improper implementation of OTP validation mechanism in certain API endpoints. A remote attacker with valid credentials could exploit this vulnerability by manipulating API responses. \n\nSuccessful exploitation of this vulnerability could allow the attacker to bypass Two-Factor Authentication (2FA) for other user accounts."}, {"lang": "es", "value": "Esta vulnerabilidad existe en RupeeWeb trading platform debido a la implementaci\u00f3n incorrecta del mecanismo de validaci\u00f3n OTP en ciertos endpoints de API. Un atacante remoto con credenciales v\u00e1lidas podr\u00eda aprovechar esta vulnerabilidad manipulando las respuestas de API. La explotaci\u00f3n exitosa de esta vulnerabilidad podr\u00eda permitir al atacante eludir la autenticaci\u00f3n de dos factores (2FA) para otras cuentas de usuario."}], "lastModified": "2026-04-15T00:35:42.020", "sourceIdentifier": "vdisclose@cert-in.org.in"}