Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-287 (认证机制不恰当) — Vulnerability Class 1203

1203 vulnerabilities classified as CWE-287 (认证机制不恰当). AI Chinese analysis included.

CWE-287 represents a critical authentication weakness where a system fails to adequately verify the identity of an actor claiming a specific identity. This flaw typically allows attackers to bypass security controls by exploiting insufficient verification mechanisms, enabling unauthorized access through stolen credentials, brute-force attacks, or session hijacking. When authentication logic is flawed, malicious entities can impersonate legitimate users, leading to severe data breaches and privilege escalation. Developers mitigate this risk by implementing robust, multi-factor authentication protocols and ensuring that identity verification processes are rigorous and resistant to common attack vectors. By strictly validating credentials against secure, hashed databases and employing adaptive security measures, organizations can significantly reduce the likelihood of unauthorized access, thereby protecting sensitive information and maintaining system integrity against sophisticated cyber threats.

MITRE CWE Description
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Common Consequences (1)
Integrity, Confidentiality, Availability, Access ControlRead Application Data, Gain Privileges or Assume Identity, Execute Unauthorized Code or Commands
This weakness can lead to the exposure of resources or functionality to unintended actors, possibly providing attackers with sensitive information or even execute arbitrary code.
Mitigations (1)
Architecture and DesignUse an authentication framework or library such as the OWASP ESAPI Authentication feature.
Examples (2)
The following code intends to ensure that the user is already logged in. If not, the code performs authentication with the user-provided username and password. If successful, it sets the loggedin and user cookies to "remember" that the user has already logged in. Finally, the code performs administrator tasks if the logged-in user has the "Administrator" username, as recorded in the user cookie.
my $q = new CGI; if ($q->cookie('loggedin') ne "true") { if (! AuthenticateUser($q->param('username'), $q->param('password'))) { ExitError("Error: you need to log in first"); } else { # Set loggedin and user cookies. $q->cookie( -name => 'loggedin', -value => 'true' ); $q->cookie( -name => 'user', -value => $q->param('username') ); } } if ($q->cookie('user') eq "Administrator") { DoAdministratorTasks(); }
Bad · Perl
GET /cgi-bin/vulnerable.cgi HTTP/1.1 Cookie: user=Administrator Cookie: loggedin=true [body of request]
Attack
In January 2009, an attacker was able to gain administrator access to a Twitter server because the server did not restrict the number of login attempts [REF-236]. The attacker targeted a member of Twitter's support team and was able to successfully guess the member's password using a brute force attack by guessing a large number of common words. After gaining access as the member of the support st…
CVE IDTitleCVSSSeverityPublished
CVE-2025-9063 Rockwell Automation PanelView Plus 7 Performance Series B Authentication Bypass — PanelView Plus 7 Performance Series B 9.1AICriticalAI2025-10-14
CVE-2025-11192 Fabric Engine (VOSS) AutoSense Authentication Bypass — Fabric Engine (VOSS) 7.5AIHighAI2025-10-07
CVE-2025-11287 samanhappy MCPHub sseService.ts handleSseConnectionfunction improper authentication — MCPHub 7.3 High2025-10-05
CVE-2025-54154 QNAP Authenticator — QNAP Authenticator 6.8AIMediumAI2025-10-03
CVE-2025-61665 WeGIA: Broken Access Control in `get_relatorios_socios.php` Endpoint — WeGIA 7.5 -2025-10-02
CVE-2025-41064 Incorrect authentication in GTT´s group OpenSIAC — OpenSIAC 9.8AICriticalAI2025-10-02
CVE-2025-20160 Cisco IOS和Cisco IOS XE Software 授权问题漏洞 — IOS 8.1 High2025-09-24
CVE-2025-9965 UDP Service Weak Authentication — P series (P07, P10, P12, P15) 9.1AICriticalAI2025-09-23
CVE-2025-34186 Ilevia EVE X1/X5 Server 4.7.18.0.eden Authentication Bypass — EVE X1/X5 Server 9.8AICriticalAI2025-09-16
CVE-2025-10365 Authentication Bypass in Evertz SDVN — 3080ipx-10G 9.8 -2025-09-12
CVE-2025-10288 roncoo roncoo-pay list improper authentication — roncoo-pay 5.3 Medium2025-09-12
CVE-2025-58065 Flask App Builder has an Authentication Bypass vulnerability when using non AUTH_DB methods — Flask-AppBuilder 6.5 Medium2025-09-11
CVE-2025-58060 cups has Authentication bypass with AuthType Negotiate — cups 8.0 High2025-09-11
CVE-2025-10224 Incorrect Evaluation of LDAP Nested Groups during Login in AxxonSoft Axxon One (C-Werk) — AxxonOne C-Werk 5.4 Medium2025-09-10
CVE-2025-55234 Windows SMB Elevation of Privilege Vulnerability — Windows 10 Version 1507 8.8 High2025-09-09
CVE-2025-54918 Windows NTLM Elevation of Privilege Vulnerability — Windows 10 Version 1507 8.8 High2025-09-09
CVE-2025-55241 Azure Entra ID Elevation of Privilege Vulnerability — Microsoft Entra 10.0 Critical2025-09-04
CVE-2025-52856 VioStor — VioStor 9.8 -2025-08-29
CVE-2025-7955 RingCentral Communications 1.5 - 1.6.8 - Missing Server‑Side Verification to Authentication Bypass via ringcentral_admin_login_2fa_verify Function — RingCentral Communications Plugin – FREE 9.8 Critical2025-08-28
CVE-2025-9533 TOTOLINK T10 formLoginAuth.htm improper authentication — T10 7.3 High2025-08-27
CVE-2025-55293 Meshtastic allows crafting of specific NodeInfo packets that overwrite any publicKey saved in the NodeDB — firmware 9.4 Critical2025-08-18
CVE-2025-8964 code-projects Hostel Management System Login hostel_manage.exe improper authentication — Hostel Management System 5.3 Medium2025-08-14
CVE-2025-55171 WeGIA Anonymous Attacker can Delete Arbitrary Image file at endpoint `/html/personalizacao_remover.php` — WeGIA 7.5 High2025-08-12
CVE-2025-55169 WeGIA Path Traversal at endpoint 'html/socio/sistema/download_remessa.php' via parameter 'file' — WeGIA 7.5AIHighAI2025-08-12
CVE-2025-53793 Azure Stack Hub Information Disclosure Vulnerability — Azure Stack Hub 2406 7.5 High2025-08-12
CVE-2025-53778 Windows NTLM Elevation of Privilege Vulnerability — Windows 10 Version 1507 8.8 High2025-08-12
CVE-2025-8838 WinterChenS my-site Backend admin preHandle improper authentication — my-site 7.3 High2025-08-11
CVE-2025-54888 @fedify/fedify: Improper Authentication and Incorrect Authorization — fedify 9.8 -2025-08-09
CVE-2025-53786 Microsoft Exchange Server Hybrid Deployment Elevation of Privilege Vulnerability — Microsoft Exchange Server 2016 Cumulative Update 23 8.0 High2025-08-06
CVE-2025-8348 Kehua Charging Pile Cloud Platform home improper authentication — Charging Pile Cloud Platform 7.3 High2025-07-31

Vulnerabilities classified as CWE-287 (认证机制不恰当) represent 1203 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.