CVE-2025-36754

The authentication mechanism on web interface is not properly implemented. It is possible to bypass authentication checks by crafting a post request with new settings since there is no session token or authentication in place. This would allow an attacker for instance to point the device to an arbitrary address for domain name resolution to e.g. facililitate a man-in-the-middle (MitM) attack.

CVSS

No CVSS.

References

Link	Resource
https://csirt.divd.nl/CVE-2025-36754/

Configurations

No configuration.

History

13 Dec 2025, 16:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-12-13 16:16

Updated : 2025-12-15 18:22

NVD link : CVE-2025-36754

Mitre link : CVE-2025-36754

CVE.ORG link : CVE-2025-36754

JSON object : View

Products Affected

No product.

CWE

CWE-290

Authentication Bypass by Spoofing

{"id": "CVE-2025-36754", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "csirt@divd.nl", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 9.3, "Automatable": "NOT_DEFINED", "attackVector": "LOCAL", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "LOW", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-12-13T16:16:54.570", "references": [{"url": "https://csirt.divd.nl/CVE-2025-36754/", "source": "csirt@divd.nl"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "csirt@divd.nl", "description": [{"lang": "en", "value": "CWE-290"}]}], "descriptions": [{"lang": "en", "value": "The authentication mechanism on web interface is not properly implemented. It is\u00a0possible to bypass authentication checks by crafting a post request with new settings\u00a0since there is no session token or authentication in place. This would allow an\u00a0attacker for instance to point the device to an arbitrary address for domain name resolution to e.g. facililitate a man-in-the-middle (MitM) attack."}], "lastModified": "2025-12-15T18:22:13.783", "sourceIdentifier": "csirt@divd.nl"}

CVE-2025-36754

JSON object

Attach tags to CVE-2025-36754

Attach tags to `CVE-2025-36754`