CRITICAL🇵🇱 Wersja polska

CVE-2025-2395

CVSS 9.8v3.1pub. 2025-03-17upd. 2025-11-18

The U-Office Force from e-Excellence has an Improper Authentication vulnerability, allowing unauthenticated remote attackers to use a particular API and alter cookies to log in as an administrator.

🤖 AI Analysis
How it works

An attacker exploits specific APIs available without authentication, and then manipulates cookie values in such a way that the system treats them as a logged-in administrator. The error stems from improper user identity validation on the server side (CWE-565 — Reliance on Cookies without Validation and Integrity Checking). As a result, the access control mechanism based on cookies can be completely bypassed by an unauthorized person.

Impact

An attacker gains full administrative access to the U-Office Force system, which may lead to disclosure of confidential data, modification of system configuration, or complete system takeover.

Mitigation & patch

Apply patches available from the vendor according to references published by TWCERT/CC at: https://www.twcert.org.tw/en/cp-139-10012-d5bbc-2.html and https://www.twcert.org.tw/tw/cp-132-10011-3de72-1.html

Who is affected

The U-Office Force product from e-Excellence (Edetw); specific versions should be verified in the vendor references published by TWCERT/CC.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Edetw U Office Force

    APP
    Edetw
    < 28.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2026-3422CRITICAL9.3PL ✓ten sam produkt

Insecure Deserialization w Edetw U-Office Force umożliwia zdalne RCE

CVE-2023-32757CRITICAL9.8ten sam produkt

e-Excellence U-Office Force file uploading function does not restrict upload of file with dangerous type. An ...

CVE-2025-12864HIGH8.7ten sam produkt

U-Office Force developed by e-Excellence has a SQL Injection vulnerability, allowing authenticated remote atta...

CVE-2025-12865HIGH8.7ten sam produkt

U-Office Force developed by e-Excellence has a SQL Injection vulnerability, allowing authenticated remote atta...

CVE-2025-2396HIGH8.8ten sam produkt

The U-Office Force from e-Excellence has an Arbitrary File Upload vulnerability, allowing remote attackers wit...