CVE-2025-41346
published 2025-11-18CVE-2025-41346: Faulty authorization control in software WinPlus v24.11.27 by Informática del Este that allows another user to be impersonated simply by knowing their…
PriorityP260critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.28%
19.6th percentile
Faulty authorization control in software WinPlus v24.11.27 by Informática del Este that allows another user to be impersonated simply by knowing their 'numerical ID', meaning that an attacker could compromise another user's account, thereby affecting the confidentiality, integrity, and availability of the data stored in the application.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| iest | winplus | — | — |
| informatica_del_este | winplus | — | — |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
cisa8.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-4486-rqpc-38g7: Faulty authorization control in software WinPlus v24
ghsa_unreviewed·2025-11-18
CVE-2025-41346 [CRITICAL] CWE-863 GHSA-4486-rqpc-38g7: Faulty authorization control in software WinPlus v24
Faulty authorization control in software WinPlus v24.11.27 by Informática del Este that allows another user to be impersonated simply by knowing their 'numerical ID', meaning that an attacker could compromise another user's account, thereby affecting the confidentiality, integrity, and availability of the data stored in the application.
CISA
ASUS RT-AX55 Routers OS Command Injection Vulnerability
cisa·2025-06-02·CVSS 8.8
CVE-2023-39780 [HIGH] CWE-78 ASUS RT-AX55 Routers OS Command Injection Vulnerability
Vulnerability: ASUS RT-AX55 Routers OS Command Injection Vulnerability
Affected: ASUS RT-AX55 Routers
ASUS RT-AX55 devices contain an OS command injection vulnerability that could allow a remote, authenticated attacker to execute arbitrary commands. As represented by CVE-2023-41346.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: https://www.asus.com/networking-iot-servers/wifi-6/all-series/rt-ax55/helpdesk_bios/?model2Name=RT-AX55 ; https://www.asus.com/content/asus-product-security-advisory/ ; https://nvd.nist.gov/vuln/detail/CVE-2023-39780
Remediation Due Date: 2025-06-23
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-11-18
Published