{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-12870","assignerOrgId":"cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e","state":"PUBLISHED","assignerShortName":"twcert","dateReserved":"2025-11-07T11:10:58.835Z","datePublished":"2025-11-12T07:35:43.207Z","dateUpdated":"2025-11-12T17:02:29.442Z"},"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"a+HRD","vendor":"aEnrich","versions":[{"lessThanOrEqual":"7.5","status":"affected","version":"0","versionType":"custom"}]}],"datePublic":"2025-11-12T07:33:00.000Z","descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"The a+HRD developed by aEnrich has an Authentication Abuse vulnerability, allowing unauthenticated remote attackers to send crafted packets to obtain administrator access tokens and use them to access the system with elevated privileges."}],"value":"The a+HRD developed by aEnrich has an Authentication Abuse vulnerability, allowing unauthenticated remote attackers to send crafted packets to obtain administrator access tokens and use them to access the system with elevated privileges."}],"impacts":[{"capecId":"CAPEC-114","descriptions":[{"lang":"en","value":"CAPEC-114 Authentication Abuse"}]}],"metrics":[{"cvssV4_0":{"Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","Safety":"NOT_DEFINED","attackComplexity":"LOW","attackRequirements":"NONE","attackVector":"NETWORK","baseScore":9.3,"baseSeverity":"CRITICAL","exploitMaturity":"NOT_DEFINED","privilegesRequired":"NONE","providerUrgency":"NOT_DEFINED","subAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","userInteraction":"NONE","valueDensity":"NOT_DEFINED","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N","version":"4.0","vulnAvailabilityImpact":"HIGH","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnerabilityResponseEffort":"NOT_DEFINED"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]},{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":9.8,"baseSeverity":"CRITICAL","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-1390","description":"CWE-1390 Weak Authentication","lang":"en","type":"CWE"}]}],"providerMetadata":{"orgId":"cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e","shortName":"twcert","dateUpdated":"2025-11-12T07:35:43.207Z"},"references":[{"tags":["third-party-advisory"],"url":"https://www.twcert.org.tw/tw/cp-132-10486-a3459-1.html"},{"tags":["third-party-advisory"],"url":"https://www.twcert.org.tw/en/cp-139-10487-12a32-2.html"}],"solutions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"Please refer to the aEnrich advisory to upgrade to version 6.8 or later and install the latest patches, or contact aEnrich customer service for assistance.<br>"}],"value":"Please refer to the aEnrich advisory to upgrade to version 6.8 or later and install the latest patches, or contact aEnrich customer service for assistance."}],"source":{"advisory":"TVN-202511005","discovery":"EXTERNAL"},"title":"aEnrich｜eHRD - Authentication Abuse","x_generator":{"engine":"Vulnogram 0.5.0"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2025-11-12T16:12:07.340092Z","id":"CVE-2025-12870","options":[{"Exploitation":"none"},{"Automatable":"yes"},{"Technical Impact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2025-11-12T16:12:24.600Z"}},{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2025-11-12T17:02:29.442Z"},"references":[{"url":"https://www.chtsecurity.com/news/b97e8337-6b0c-43e8-8e8c-187b7c0e13c2"}],"title":"CVE Program Container","x_generator":{"engine":"ADPogram 0.0.1"}}]}}