CVE-2025-9495
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-23

Last updated on: 2025-09-24

Assigner: Carrier Global Corporation

Description
The Vitogate 300 web interface fails to enforce proper server-side authentication and relies on frontend-based authentication controls. This allows an attacker to simply modify HTML elements in the browser’s developer tools to bypass login restrictions. By removing specific UI elements, an attacker can reveal the hidden administration menu, giving them full control over the device.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-23
Last Modified
2025-09-24
Generated
2026-05-07
AI Q&A
2025-09-23
EPSS Evaluated
2026-05-05
NVD
CVE-2025-9495
EUVD
EUVD-2025-30428
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
carrier vitogate_300 4.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-602 The product is composed of a server that relies on the client to implement a mechanism that is intended to protect the server.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

The Vitogate 300 web interface does not properly enforce server-side authentication and instead relies on authentication controls implemented on the frontend. This means an attacker can manipulate the HTML elements in their browser's developer tools to bypass login restrictions. By removing certain UI elements, the attacker can access the hidden administration menu and gain full control over the device.


How can this vulnerability impact me? :

This vulnerability allows an attacker to bypass authentication and gain full administrative control over the Vitogate 300 device. This could lead to unauthorized access, manipulation of device settings, potential disruption of services, and compromise of any data or systems connected to the device.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart