Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-603 (使用客户端的认证机制) — Vulnerability Class 19

19 vulnerabilities classified as CWE-603 (使用客户端的认证机制). AI Chinese analysis included.

CWE-603 represents a critical architectural flaw where authentication logic is implemented exclusively within client-side code, leaving the server-side validation incomplete or absent. This weakness is typically exploited by attackers who reverse-engineer the client application to understand the authentication mechanism, then modify the client code to bypass the local checks entirely. By omitting the authentication step in the modified client, attackers can directly access protected resources or perform unauthorized actions, effectively circumventing security controls. To avoid this vulnerability, developers must ensure that all critical security decisions, including identity verification and authorization checks, are performed strictly on the server side. Client-side mechanisms should only serve as user experience enhancements or input validation aids, never as the sole gatekeeper for sensitive operations, thereby ensuring that security cannot be trivially bypassed through code manipulation.

MITRE CWE Description
A client/server product performs authentication within client code but not in server code, allowing server-side authentication to be bypassed via a modified client that omits the authentication check. Client-side authentication is extremely weak and may be breached easily. Any attacker may read the source code and reverse-engineer the authentication mechanism to access parts of the application which would otherwise be protected.
Common Consequences (1)
Access ControlBypass Protection Mechanism, Gain Privileges or Assume Identity
Mitigations (1)
Architecture and DesignDo not rely on client side data. Always perform server side authentication.
Examples (1)
In 2022, the OT:ICEFALL study examined products by 10 different Operational Technology (OT) vendors. The researchers reported 56 vulnerabilities and said that the products were "insecure by design" [REF-1283]. If exploited, these vulnerabilities often allowed adversaries to change how the products operated, ranging from denial of service to changing the code that the products executed. Since these…
CVE IDTitleCVSSSeverityPublished
CVE-2026-40551 Use of Client-Side Authentication in mpGabinet — mpGabinet 7.8AIHighAI2026-04-28
CVE-2025-30042 Session generation possible with certificate number only — CGM CLININET 6.6AIMediumAI2026-03-02
CVE-2026-1363 JNC|IAQS and I6 - Client-Side Enforcement of Server-Side Security — IAQS 9.8 Critical2026-01-23
CVE-2025-64119 Nuvation Energy BMS Client-side Authentication — Battery Management System 9.8 -2026-01-02
CVE-2025-61940 Mirion Medical EC2 Software NMIS BioDose Use of Client-Side Authentication — EC2 Software NMIS BioDose 8.3 High2025-12-02
CVE-2025-12868 CyberTutor|New Site Server - Use of Client-Side Authentication — New Site Server 9.8 Critical2025-11-10
CVE-2025-62650 Restaurant Brands International assistant platform 安全漏洞 — assistant platform 8.3 High2025-10-17
CVE-2025-62649 Restaurant Brands International assistant platform 安全漏洞 — assistant platform 5.8 Medium2025-10-17
CVE-2025-24517 Inaba Denki Sangyo CHOCO TEI WATCHER mini 安全漏洞 — CHOCO TEI WATCHER mini (IB-MCT001) 7.5 High2025-03-31
CVE-2024-52327 ECOVACS lawnmower and vacuum cloud service live video PIN bypass — ECOVACS HOME 6.5 Medium2025-01-23
CVE-2024-45785 NEUMANN MUSASI 安全漏洞 — MUSASI 7.5 -2024-10-25
CVE-2024-39375 Use of Client-Side Authentication in TELSAT marKoni FM Transmitter — Markoni-D (Compact) FM Transmitters 9.8AICriticalAI2024-06-27
CVE-2022-3218 Necta WiFi Mouse (Mouse Server) client-side authentication bypass — WiFi Mouse (Mouse Server) 9.8 -2022-09-19
CVE-2022-33139 Siemens SIMATIC WinCC OA 授权问题漏洞 — Cerberus DMS 9.8 -2022-06-21
CVE-2021-43355 Fresenius Kabi Agilia Connect Infusion System use of client side authentication — Vigilant Software Suite (Mastermed Dashboard) 7.3 High2022-01-21
CVE-2020-27266 多款Sooil产品授权问题漏洞 — SOOIL Developments Co., Ltd Diabecare RS, AnyDana-i and AnyDana-A 8.1 -2021-01-19
CVE-2020-7591 Siemens DESIGO INSIGHT 安全漏洞 — SIPORT MP 8.8 -2020-10-15
CVE-2020-6988 多款Rockwell Automation产品授权问题漏洞 — Rockwell Automation MicroLogix 1400 Controllers Series B v21.001 and prior, Series A, all versions, MicroLogix 1100 Controller, all versions, RSLogix 500 Software v12.001 and prior 9.1 -2020-03-16
CVE-2017-7909 Advantech B+B SmartWorx MESR901固件安全漏洞 — Advantech B+B SmartWorx MESR901 9.1 -2017-05-06

Vulnerabilities classified as CWE-603 (使用客户端的认证机制) represent 19 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.