CVE-2025-4558 | THREATINT

Description

The GPM from WormHole Tech has an Unverified Password Change vulnerability, allowing unauthenticated remote attackers to change any user's password and use the modified password to log into the system.

PUBLISHED Reserved 2025-05-12 | Published 2025-05-12 | Updated 2025-05-12 | Assigner twcert

CRITICAL: 9.8CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CRITICAL: 9.3CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Problem types

CWE-620 Unverified Password Change

Product status

Default status

unaffected

Any version before 202502

affected

References

www.twcert.org.tw/tw/cp-132-10114-10b4b-1.html third-party-advisory

www.twcert.org.tw/en/cp-139-10115-f5f14-2.html third-party-advisory

cve.org (CVE-2025-4558)

nvd.nist.gov (CVE-2025-4558)

Download JSON