CVE-2026-12692

Vimesoft · Enterprise Video Platform

An unverified password change vulnerability in the Vimesoft Enterprise Video Platform allows remote, unauthenticated attackers to bypass authentication mechanisms.

Executive summary

A critical authentication bypass vulnerability in Vimesoft Enterprise Video Platform enables unauthenticated attackers to hijack user accounts by modifying passwords without verification.

Vulnerability

This vulnerability, classified as CWE-620, involves an unverified password change mechanism that permits an unauthenticated attacker to reset or modify credentials. Because the flaw requires no user interaction or prior authentication, it poses a severe risk to the entire user base.

Business impact

The ability for an unauthenticated actor to change passwords results in complete account takeover, leading to unauthorized access to sensitive video assets and potential data exfiltration. Given the CVSS score of 9.8, this vulnerability represents a critical risk to organizational confidentiality, integrity, and availability.

Remediation

Immediate Action: Update the Vimesoft Enterprise Video Platform to version 3.25.0 or later immediately to patch the authentication logic.

Proactive Monitoring: Review system access logs for suspicious password change requests or irregular login patterns occurring from unrecognized IP addresses.

Compensating Controls: Deploy a Web Application Firewall (WAF) to inspect incoming traffic for patterns associated with unauthorized password change requests.

Exploitation status

Public Exploit Available: Unknown

Analyst recommendation

This vulnerability is of critical severity and demands immediate attention. Administrators must prioritize updating the affected software to the latest version to eliminate the bypass vector and prevent unauthorized access.