CVE-2026-12692
Vimesoft · Enterprise Video Platform
An unverified password change vulnerability in the Vimesoft Enterprise Video Platform allows remote, unauthenticated attackers to bypass authentication mechanisms.
Executive summary
A critical authentication bypass vulnerability in Vimesoft Enterprise Video Platform enables unauthenticated attackers to hijack user accounts by modifying passwords without verification.
Vulnerability
This vulnerability, classified as CWE-620, involves an unverified password change mechanism that permits an unauthenticated attacker to reset or modify credentials. Because the flaw requires no user interaction or prior authentication, it poses a severe risk to the entire user base.
Business impact
The ability for an unauthenticated actor to change passwords results in complete account takeover, leading to unauthorized access to sensitive video assets and potential data exfiltration. Given the CVSS score of 9.8, this vulnerability represents a critical risk to organizational confidentiality, integrity, and availability.
Remediation
Immediate Action: Update the Vimesoft Enterprise Video Platform to version 3.25.0 or later immediately to patch the authentication logic.
Proactive Monitoring: Review system access logs for suspicious password change requests or irregular login patterns occurring from unrecognized IP addresses.
Compensating Controls: Deploy a Web Application Firewall (WAF) to inspect incoming traffic for patterns associated with unauthorized password change requests.
Exploitation status
Public Exploit Available: Unknown
Analyst recommendation
This vulnerability is of critical severity and demands immediate attention. Administrators must prioritize updating the affected software to the latest version to eliminate the bypass vector and prevent unauthorized access.