Home

Description

Synaccess netBooter NP-02x/NP-08x 6.8 contains an authentication bypass vulnerability in the webNewAcct.cgi script that allows unauthenticated attackers to create admin user accounts. Attackers can exploit the missing control check by sending crafted POST requests to create administrative accounts and gain unauthorized control over power supply management.

PUBLISHED Reserved 2025-12-24 | Published 2025-12-24 | Updated 2025-12-24 | Assigner VulnCheck




CRITICAL: 9.3CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CRITICAL: 9.8CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Problem types

Missing Authentication for Critical Function

Product status

6.8C
affected

6.5C
affected

6.4BC
affected

6.4A
affected

6.10
affected

5.53BC
affected

Credits

LiquidWorm as Gjoko Krstic of Zero Science Lab finder

References

www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5500.php exploit

www.exploit-db.com/exploits/45920 exploit

www.exploit-db.com/exploits/45920 (ExploitDB-45920) exploit

www.synaccess-net.com (Vendor Product Homepage) product

www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5500.php (Zero Science Lab Disclosure (ZSL-2018-5500)) third-party-advisory

cve.org (CVE-2018-25134)

nvd.nist.gov (CVE-2018-25134)

Download JSON

Data based on CVE®. Copyright © 1999-2025, The MITRE Corporation. All rights reserved.