MileSight DeviceHub - CWE-305 Missing Authentication for Critical Function
An attacker can access critical functions of the Milesight DeviceHub platform without possessing any credentials. The lack of authentication mechanisms (CWE-305) and access controls (CWE-306) enables privileged operations to be invoked directly over the network without requiring user interaction. The attack vector is network-based, requires no complex conditions or any privileges.
An attacker can gain full control over the system, including access to sensitive data, ability to modify it, and disrupt service availability — which corresponds to maximum scores for confidentiality, integrity, and availability on the CVSS scale.
Apply patches available from the manufacturer according to the references. It is also recommended to restrict network access to DeviceHub administrative interfaces using a firewall and implement network segmentation until the patch is deployed.
Milesight DeviceHub and Canonical Ubuntu Linux — versions indicated in the manufacturer's references
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HCanonical Ubuntu
OSCanonical20.04Milesight Devicehub
APPMilesight3.0.1-r1
Related vulnerabilities
Sudo: eskalacja uprawnień do root poprzez opcję --chroot (CVE-2025-32463)
It was discovered, that redis, a persistent key-value database, due to a packaging issue, is prone to a (Debia...
An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process Clea...
smtp_mailaddr in smtp_session.c in OpenSMTPD 6.6, as used in OpenBSD 6.6 and other products, allows remote att...
Exim 4.92 through 4.92.2 allows remote code execution, a different vulnerability than CVE-2019-15846. There is...