CVE-2025-3895

Published May 23, 2025

Last updated 2 months ago

CVSS critical 9.1

Overview

Description
Token used for resetting passwords in MegaBIP software are generated using a small space of random values combined with a queryable value. It allows an unauthenticated attacker who know user login names to brute force these tokens and change account passwords (including these belonging to administrators).  Version 5.20 of MegaBIP fixes this issue.
Source
cvd@cert.pl
NVD status
Awaiting Analysis

Risk scores

CVSS 4.0

Type
Secondary
Base score
9.1
Impact score
-
Exploitability score
-
Vector string
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Severity
CRITICAL

Weaknesses

cvd@cert.pl
CWE-334

Social media

Hype score
Not currently trending

  1. [CVE-2025-3895: CRITICAL] Cyber security flaw in MegaBIP software: Token for password resets easily brute-forced by attackers. Update to Version 5.20 to fix this vulnerability.#cve,CVE-2025-3895,#cybersecurity https://t.co/YuGdX7EYbc https://t.co/DV2NfRGxud

    @CveFindCom

    23 May 2025

    20 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

References

Sources include official advisories and independent security research.