cbcvebase.
CVE-2025-5095
published 2025-08-08

CVE-2025-5095: Burk Technology ARC Solo's password change mechanism can be utilized without proper authentication procedures, allowing an attacker to take over the device. A…

PriorityP272critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.87%
54.3th percentile
Burk Technology ARC Solo's password change mechanism can be utilized without proper authentication procedures, allowing an attacker to take over the device. A password change request can be sent directly to the device's HTTP endpoint without providing valid credentials. The system does not enforce proper authentication or session validation, allowing the password change to proceed without verifying the request's legitimacy.

Affected

1 ranges
VendorProductVersion rangeFixed in
burk_technologyarc_solo< 1.0.621.0.62

Detection & IOCsextracted from sources · hover to see the quote

  • Password change request can be sent directly to the device's HTTP endpoint without providing valid credentials — monitor for unauthenticated HTTP requests to the ARC Solo password change endpoint
  • No session or authentication validation is enforced on the password change function — alert on password change HTTP requests that lack authentication headers or session tokens to ARC Solo devices
  • Vulnerability is exploitable remotely with low attack complexity and no privileges required — prioritize detection on internet-facing or network-accessible ARC Solo devices running versions prior to v1.0.62
  • ·All ARC Solo devices running firmware versions prior to v1.0.62 are vulnerable; patch to v1.0.62 or later to remediate

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.