Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-290 (使用欺骗进行的认证绕过) — Vulnerability Class 245

245 vulnerabilities classified as CWE-290 (使用欺骗进行的认证绕过). AI Chinese analysis included.

CWE-290 represents a critical authentication weakness where systems fail to properly validate the origin of identity claims, allowing attackers to bypass security controls through spoofing. This vulnerability typically arises when authentication mechanisms rely on easily forged data, such as IP addresses or HTTP headers, without implementing robust verification. Attackers exploit this by injecting malicious or manipulated credentials that mimic legitimate users, thereby gaining unauthorized access to sensitive resources or administrative functions. To mitigate this risk, developers must implement multi-factor authentication and ensure that identity verification relies on cryptographically secure tokens rather than easily spoofable network identifiers. Additionally, rigorous input validation and strict adherence to secure authentication protocols, such as OAuth or OpenID Connect, help prevent attackers from impersonating valid entities, ensuring that only genuinely authenticated users can access protected systems.

MITRE CWE Description
This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.
Common Consequences (1)
Access ControlBypass Protection Mechanism, Gain Privileges or Assume Identity
This weakness can allow an attacker to access resources which are not otherwise accessible without proper authentication.
Examples (2)
The following code authenticates users.
String sourceIP = request.getRemoteAddr(); if (sourceIP != null && sourceIP.equals(APPROVED_IP)) { authenticated = true; }
Bad · Java
Both of these examples check if a request is from a trusted address before responding to the request.
sd = socket(AF_INET, SOCK_DGRAM, 0); serv.sin_family = AF_INET; serv.sin_addr.s_addr = htonl(INADDR_ANY); servr.sin_port = htons(1008); bind(sd, (struct sockaddr *) & serv, sizeof(serv)); while (1) { memset(msg, 0x0, MAX_MSG); clilen = sizeof(cli); if (inet_ntoa(cli.sin_addr)==getTrustedAddress()) { n = recvfrom(sd, msg, MAX_MSG, 0, (struct sockaddr *) & cli, &clilen); } }
Bad · C
while(true) { DatagramPacket rp=new DatagramPacket(rData,rData.length); outSock.receive(rp); String in = new String(p.getData(),0, rp.getLength()); InetAddress clientIPAddress = rp.getAddress(); int port = rp.getPort(); if (isTrustedAddress(clientIPAddress) & secretKey.equals(in)) { out = secret.getBytes(); DatagramPacket sp =new DatagramPacket(out,out.length, IPAddress, port); outSock.send(sp); } }
Bad · Java
CVE IDTitleCVSSSeverityPublished
CVE-2025-58595 WordPress All In One Login plugin <= 2.0.8 - Bypass Vulnerability vulnerability — All In One Login 5.3 Medium2025-11-06
CVE-2025-59501 Microsoft Configuration Manager Spoofing Vulnerability — Microsoft Configuration Manager 4.8 Medium2025-10-31
CVE-2025-11843 Therefore™ Online and Therefore™ On-Premises contains an account impersonation issue, which could potentially allow the attacker to access all the stored data — Therefore Online and Therefore On-Premises 6.5 -2025-10-31
CVE-2025-61778 Akka.Remote TLS did not properly implement certificate-based authentication — akka.net 9.1AICriticalAI2025-10-06
CVE-2025-54288 Source Container Identification Vulnerability via cmdline Spoofing in devLXD Server — LXD 5.1AIMediumAI2025-10-02
CVE-2025-59154 Openfire allows potential identity spoofing via unsafe CN parsing — Openfire 5.9 Medium2025-09-15
CVE-2025-7448 Man in the middle (MitM) attack vulnerability in Wi-SUN library — Wi-SUN Stack 5.9 -2025-09-12
CVE-2025-8853 2100 Technology|Official Document Management System - Authentication Bypass — Official Document Management System 9.8 Critical2025-08-11
CVE-2025-36119 IBM i authentication bypass — i 7.1 High2025-08-08
CVE-2025-36594 Dell PowerProtect Data Domain 安全漏洞 — PowerProtect Data Domain Feature Release 9.8 Critical2025-08-04
CVE-2025-54576 OAuth2-Proxy has authentication bypass in oauth2-proxy skip_auth_routes due to Query Parameter inclusion — oauth2-proxy 9.1 Critical2025-07-30
CVE-2025-34063 OneLogin AD Connector JWT Authentication Bypass via Exposed Signing Key — OneLogin Active Directory Connector (ADC) 8.8AIHighAI2025-07-01
CVE-2025-34065 AVTECH IP camera, DVR, and NVR Devices Authentication Bypass via /nobody URL Path — IP camera, DVR, and NVR Devices 9.8AICriticalAI2025-07-01
CVE-2025-34053 AVTECH IP camera, DVR, and NVR Devices Authentication Bypass via .cab Path Manipulation — IP camera, DVR, and NVR devices 9.8AICriticalAI2025-07-01
CVE-2025-48937 matrix-sdk-crypto vulnerable to sender of encrypted events being spoofed by homeserver administrator — matrix-rust-sdk 4.9 Medium2025-06-10
CVE-2025-49004 Hijacking Caido instance during the initial setup via DNS Rebinding to achieve RCE — caido 7.5 High2025-06-09
CVE-2025-48906 Huawei HarmonyOS 安全漏洞 — HarmonyOS 8.8 High2025-06-06
CVE-2025-49002 Dataease H2 Database Remote Code Execution (RCE) Bypass Vulnerability — dataease 8.2AIHighAI2025-06-03
CVE-2025-48027 pGina 安全漏洞 — pGina.Fork 5.4 Medium2025-05-15
CVE-2025-27695 Dell Wyse Management Suite 安全漏洞 — Wyse Management Suite 4.9 Medium2025-05-08
CVE-2025-46345 Auth0 Account Link Extension JWT Invalid Signature Validation — auth0-account-link-extension 7.5AIHighAI2025-05-01
CVE-2025-32966 Dataease H2 JDBC Connection Remote Code Execution — dataease 8.8 -2025-04-23
CVE-2025-32788 OctoPrint Authenticated Reverse Proxy Page Authentication Bypass — OctoPrint 4.3 Medium2025-04-22
CVE-2025-32012 Jellyfin Vulnerable to Denial of Service (DoS) via IP Spoofing — jellyfin 6.5AIMediumAI2025-04-15
CVE-2025-32275 WordPress Survey Maker plugin <= 5.1.6.3 - Bypass vulnerability — Survey Maker 4.3 Medium2025-04-10
CVE-2025-32227 WordPress Asgaros Forum plugin <= 3.0.0 - File Upload Numbers Bypass vulnerability — Asgaros Forum 4.3 Medium2025-04-10
CVE-2025-31170 Huawei HarmonyOS和Huawei EMUI 安全漏洞 — HarmonyOS 8.4 High2025-04-07
CVE-2024-58127 Huawei EMUI和Huawei HarmonyOS 安全漏洞 — HarmonyOS 8.4 High2025-04-07
CVE-2024-58126 Huawei HarmonyOS和Huawei EMUI 安全漏洞 — HarmonyOS 8.4 High2025-04-07
CVE-2024-58125 Huawei HarmonyOS和Huawei EMUI 安全漏洞 — HarmonyOS 8.4 High2025-04-07

Vulnerabilities classified as CWE-290 (使用欺骗进行的认证绕过) represent 245 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.