Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-1390 — Vulnerability Class 62

62 vulnerabilities classified as CWE-1390. AI Chinese analysis included.

CWE-1390 represents a critical authentication weakness where the system fails to adequately verify a user’s claimed identity, allowing unauthorized access through insufficient proof mechanisms. Attackers typically exploit this vulnerability by bypassing security controls with minimal effort, often leveraging weak passwords, missing multi-factor authentication, or flawed session management to gain illicit entry. This deficiency enables rapid credential stuffing or brute-force attacks that succeed where robust systems would fail. To mitigate this risk, developers must implement strong, multi-layered authentication protocols, including complex password policies, multi-factor authentication, and adaptive risk-based analysis. By ensuring that identity verification is rigorous and resistant to common bypass techniques, organizations can significantly reduce the attack surface and protect sensitive resources from unauthorized exploitation.

MITRE CWE Description
The product uses an authentication mechanism to restrict access to specific users or identities, but the mechanism does not sufficiently prove that the claimed identity is correct. Attackers may be able to bypass weak authentication faster and/or with less effort than expected.
Common Consequences (1)
Integrity, Confidentiality, Availability, Access ControlRead Application Data, Gain Privileges or Assume Identity, Execute Unauthorized Code or Commands
This weakness can lead to the exposure of resources or functionality to unintended actors, possibly providing attackers with sensitive information or even execute arbitrary code.
Examples (1)
In 2022, the OT:ICEFALL study examined products by 10 different Operational Technology (OT) vendors. The researchers reported 56 vulnerabilities and said that the products were "insecure by design" [REF-1283]. If exploited, these vulnerabilities often allowed adversaries to change how the products operated, ranging from denial of service to changing the code that the products executed. Since these…
CVE IDTitleCVSSSeverityPublished
CVE-2025-27740 Active Directory Certificate Services Elevation of Privilege Vulnerability — Windows Server 2008 R2 Service Pack 1 8.8 High2025-04-08
CVE-2024-54092 Siemens Industrial Edge Devices 安全漏洞 — Industrial Edge Device Kit - arm64 V1.17 9.8 Critical2025-04-08
CVE-2024-45551 Weak Authentication in HLOS — Snapdragon 6.2 Medium2025-04-07
CVE-2025-29991 Yubico YubiKey 安全漏洞 — YubiKey 2.2 Low2025-04-03
CVE-2025-31676 Email TFA - Moderately critical - Access bypass - SA-CONTRIB-2025-001 — Email TFA 9.8 -2025-03-31
CVE-2025-29994 Improper Authentication Vulnerability in CAP back office application — CAP back office application 8.2 -2025-03-13
CVE-2025-24070 ASP.NET Core and Visual Studio Elevation of Privilege Vulnerability — ASP.NET Core 8.0 7.0 High2025-03-11
CVE-2025-1293 HashiCorp Hermes Improperly Validates AWS ALB JWTs, which May Lead to Authentication Bypass — Tooling 8.2 High2025-02-20
CVE-2024-52541 Dell Client Platform BIOS 安全漏洞 — Dell Client Platform BIOS 8.2 High2025-02-19
CVE-2025-1387 Learning Digital Orca HCM - Improper Authentication — Orca HCM 9.8 Critical2025-02-17
CVE-2025-26343 Q-Free MAXTIME Suite 安全漏洞 — MaxTime 8.1 High2025-02-12
CVE-2024-50563 Fortinet多款产品 安全漏洞 — FortiAnalyzer 6.7 High2025-01-16
CVE-2024-48886 Fortinet FortiOS 安全漏洞 — FortiOS 8.0 Critical2025-01-14
CVE-2024-13239 Two-factor Authentication (TFA) - Moderately critical - Access bypass - SA-CONTRIB-2024-003 — Two-factor Authentication (TFA) 9.8 -2025-01-09
CVE-2024-47397 FXC AE1021和FXC AE1021PE 安全漏洞 — AE1021 7.5 High2024-12-18
CVE-2023-41862 WordPress VS Contact Form plugin <= 14.0 - Sum Captcha Bypass vulnerability — VS Contact Form 5.3 Medium2024-12-13
CVE-2024-49019 Active Directory Certificate Services Elevation of Privilege Vulnerability — Windows Server 2019 7.8 High2024-11-12
CVE-2024-45367 Optigo Networks ONS-S8 Spectra Aggregation Switch Weak Authentication — ONS-S8 Spectra Aggregation Switch 9.1 Critical2024-10-03
CVE-2024-41722 goTenna Pro ATAK Plugin Weak Authentication — Pro ATAK Plugin 6.5 Medium2024-09-26
CVE-2024-47127 Weak Authentication in goTenna Pro — Pro 6.5 Medium2024-09-26
CVE-2024-8322 Ivanti EPM 安全漏洞 — Endpoint Manager 4.3 Medium2024-09-10
CVE-2024-38239 Windows Kerberos Elevation of Privilege Vulnerability — Windows 10 Version 1809 7.2 High2024-09-10
CVE-2024-38182 Microsoft Dynamics 365 Elevation of Privilege Vulnerability — Dynamics 365 Field Service (on-premises) v7 series 9.0 Critical2024-07-31
CVE-2024-6580 /n software IPWorks SSH insufficient file access verification — IPWorks SSH SFTPServer 7.5AIHighAI2024-07-08
CVE-2024-5891 Quay: unauthorized user may authenticate via oauth application token — Red Hat Quay 3 4.2 Medium2024-06-12
CVE-2024-35248 Microsoft Dynamics 365 Business Central Elevation of Privilege Vulnerability — Microsoft Dynamics 365 Business Central 2023 Release Wave 1 7.3 High2024-06-11
CVE-2024-0822 Ovirt: authentication bypass 7.5 High2024-01-25
CVE-2023-4094 Weak authentication vulnerability in Fujitsu Arconte Áurea — Arconte Áurea 6.5 Medium2023-09-19
CVE-2023-41900 Jetty's OpenId Revoked authentication allows one request — jetty.project 3.5 Low2023-09-15
CVE-2022-45860 Fortinet FortiNAC 授权问题漏洞 — FortiNAC 5.0 Medium2023-05-03

Vulnerabilities classified as CWE-1390 represent 62 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.