CVE-2025-2859

An attacker with network access, could capture traffic and obtain user cookies, allowing the attacker to steal the active user session and make changes to the device via web, depending on the privileges obtained by the user.

CVSS

No CVSS.

References

Link	Resource
https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-arteches-satech-bcu

Configurations

No configuration.

History

04 Apr 2025, 13:15

Type	Values Removed	Values Added
Summary		(es) Un atacante con acceso a la red donde se encuentra el dispositivo vulnerable podría capturar tráfico y obtener cookies del usuario, lo que le permitiría robar la sesión activa de un usuario y realizar cambios en el dispositivo vía web, dependiendo de los privilegios obtenidos por el usuario.
Summary	(en) An attacker with access to the network where the vulnerable device is located could capture traffic and obtain cookies from the user, allowing them to steal a user's active session and make changes to the device via the web, depending on the privileges obtained by the user.	(en) An attacker with network access, could capture traffic and obtain user cookies, allowing the attacker to steal the active user session and make changes to the device via web, depending on the privileges obtained by the user.

28 Mar 2025, 14:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-03-28 14:15

Updated : 2025-04-04 13:15

NVD link : CVE-2025-2859

Mitre link : CVE-2025-2859

CVE.ORG link : CVE-2025-2859

JSON object : View

Products Affected

No product.

CWE

CWE-287

Improper Authentication

{"id": "CVE-2025-2859", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "cve-coordination@incibe.es", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.9, "Automatable": "NOT_DEFINED", "attackVector": "ADJACENT", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-03-28T14:15:20.810", "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-arteches-satech-bcu", "source": "cve-coordination@incibe.es"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "cve-coordination@incibe.es", "description": [{"lang": "en", "value": "CWE-287"}]}], "descriptions": [{"lang": "en", "value": "An attacker with network\u00a0access,\u00a0could capture traffic and obtain user cookies, allowing the attacker to steal the active user session and make changes to the device via web, depending on the privileges obtained by the user."}, {"lang": "es", "value": "Un atacante con acceso a la red donde se encuentra el dispositivo vulnerable podr\u00eda capturar tr\u00e1fico y obtener cookies del usuario, lo que le permitir\u00eda robar la sesi\u00f3n activa de un usuario y realizar cambios en el dispositivo v\u00eda web, dependiendo de los privilegios obtenidos por el usuario."}], "lastModified": "2025-04-04T13:15:46.493", "sourceIdentifier": "cve-coordination@incibe.es"}