Home

Description

The Vitogate 300 web interface fails to enforce proper server-side authentication and relies on frontend-based authentication controls. This allows an attacker to simply modify HTML elements in the browser’s developer tools to bypass login restrictions. By removing specific UI elements, an attacker can reveal the hidden administration menu, giving them full control over the device.

PUBLISHED Reserved 2025-08-26 | Published 2025-09-23 | Updated 2025-09-23 | Assigner Carrier




HIGH: 8.7CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Problem types

CWE-602 Client-Side Enforcement of Server-Side Security

Product status

Default status
unaffected

1 (date) before 3.0.0.0
affected

Credits

Souvik Kandar of MicroSec (microsec.io) reporter

References

https/....carrier.com/product-security/advisories-resources/

cve.org (CVE-2025-9495)

nvd.nist.gov (CVE-2025-9495)

Download JSON