CVE-2025-30236
8.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
Summary
Shearwater SecurEnvoy SecurAccess Enrol before 9.4.515 allows authentication through only a six-digit TOTP code (skipping a password check) if an HTTP POST request contains a SESSION parameter.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| SecurEnvoy | SecurAccess | 0 < 9.4.515 | affected |
Weaknesses
- CWE-472: CWE-472 External Control of Assumed-Immutable Web Parameter
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: yes
- Technical Impact: partial
References
- https://reserge.org/probabilistically-breaking-securenvoy-totp/
- https://securenvoy.com/wp-content/uploads/2025/03/Release-Notes-9.4.515.pdf
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.