cbcvebase.
CVE-2025-3895
published 2025-05-23

CVE-2025-3895: Token used for resetting passwords in MegaBIP software are generated using a small space of random values combined with a queryable value. It allows an…

PriorityP352critical9.1CVSS 4.0
AVNACLATPPRNUINVCHVIHVANSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EPSS
0.41%
32.9th percentile
Token used for resetting passwords in MegaBIP software are generated using a small space of random values combined with a queryable value. It allows an unauthenticated attacker who know user login names to brute force these tokens and change account passwords (including these belonging to administrators). Version 5.20 of MegaBIP fixes this issue.

Affected

4 ranges
VendorProductVersion rangeFixed in
jan_syskimegabip<= 5.19
nodejsundici>= 0 < 5.29.05.29.0
nodejsundici>= 6.0.0 < 6.21.26.21.2
nodejsundici>= 7.0.0 < 7.5.07.5.0
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.