A critical vulnerability has been identified in multiple EIP Plus products from the vendor Hundred Plus. This flaw resides in a weak password recovery mechanism, which could allow a remote, unauthenticated attacker to easily predict or generate a password reset link, leading to complete account takeover. Successful exploitation would grant the attacker unauthorized access to user accounts, potentially compromising sensitive data and system integrity.

The 'forgot password' functionality in the affected software generates a predictable or low-entropy token for password reset links. An unauthenticated remote attacker can initiate a password reset request for a known user account and then brute-force or predict the value of the reset token. Upon guessing the correct token, the attacker can set a new password for the user's account and gain full access without any prior authentication.

This vulnerability is rated as critical severity with a CVSS score of 9.8. Exploitation could lead to a complete compromise of user accounts, including those with administrative privileges. The business impact includes the potential for significant data breaches, unauthorized access to sensitive corporate or customer information, financial fraud, and reputational damage. Depending on the function of the EIP Plus system, an attacker could disrupt business operations, manipulate data, or use the compromised system as a pivot point for further attacks within the network.

Immediate Action: Organizations must immediately update all affected EIP Plus products to the latest patched version as recommended by the vendor, Hundred Plus. After patching, it is crucial to review access logs for any suspicious password reset and login activities that may have occurred prior to the update.

Proactive Monitoring: Security teams should actively monitor for signs of exploitation. This includes looking for an unusual volume of password reset requests from a single IP address or targeting multiple accounts in a short time frame. System logs should be reviewed for successful password resets followed immediately by logins from anomalous IP addresses or geographic locations.

Compensating Controls: If immediate patching is not feasible, consider the following compensating controls:

• Implement strict rate-limiting on the password recovery endpoint to slow down brute-force attempts.
• Use a Web Application Firewall (WAF) with rules designed to detect and block anomalous patterns of password reset requests.
• Temporarily disable the 'forgot password' feature if business operations permit.
• Ensure Multi-Factor Authentication (MFA) is enforced for all users, as this would prevent an attacker from logging in even after a successful password reset.

Public Exploit Available: false

Due to the critical severity and the ease of exploitation, this vulnerability poses a significant and immediate risk to the organization. We strongly recommend that the remediation plan be executed with the highest priority. All affected EIP Plus instances must be patched immediately. Although this CVE is not currently listed on the CISA KEV list, its characteristics make it a prime candidate for future inclusion, and organizations should treat it as an actively targeted threat.