CVE-2025-46414 | THREATINT

Description

The affected product does not limit the number of attempts for inputting the correct PIN for a registered product, which may allow an attacker to gain unauthorized access using brute-force methods if they possess a valid device serial number. The API provides clear feedback when the correct PIN is entered. This vulnerability was patched in a server-side update on April 6, 2025.

PUBLISHED Reserved 2025-07-30 | Published 2025-08-08 | Updated 2025-08-08 | Assigner icscert

HIGH: 8.1CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CRITICAL: 9.2CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Problem types

CWE-307

Product status

Default status

unaffected

all versions

affected

Default status

unaffected

all versions

affected

Default status

unaffected

all versions

affected

Default status

unaffected

all versions

affected

Default status

unaffected

all versions

affected

Default status

unaffected

all versions

affected

Default status

unaffected

all versions

affected

Credits

Anthony Rose of BC Security reported these vulnerabilities to CISA. finder

References

www.cisa.gov/news-events/ics-advisories/icsa-25-219-07

eg4electronics.com/contact/

cve.org (CVE-2025-46414)

nvd.nist.gov (CVE-2025-46414)

Download JSON