CVE-2025-28371: EnGenius ENH500 AP 2T2R V3.0 FW3.7.22 Incorrect Access Control Description EnGenius ENH500 AP 2T2R V3.0 FW3.7.22 is vulnerable to Incorrect Access Control via the password change function. The device fails to validate the current password, allowing an attacker to submit a password change request with an invalid current password and set a new password. Vendor EnGenius Affected Product Model: ENH500 Single Radio Management AP 2T2R Firmware Version: 3.7.22 Device Version: 3.0 Affected Component Vulnerability Type Incorrect Access Control Attack Type Remote Impact Escalation of Privileges (Confirmed) Attack Vectors An attacker can exploit this vulnerability remotely by sending a crafted password change request without knowledge of the current password. This allows unauthorized password resets and potential takeover of the device. Discoverer Omar Fadel