{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/enterprise-video-platform-from-3.11.0.0-before-3.25.0/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2026-12692"},{"cvss":9.1,"id":"CVE-2026-12694"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Enterprise Video Platform (3.11.0.0 before 3.25.0)","Enterprise Video Platform (from 3.11.0.0 before 3.25.0)"],"_cs_severities":["critical"],"_cs_tags":["vulnerability","authentication-bypass","web-application","cve","critical-vulnerability"],"_cs_type":"advisory","_cs_vendors":["Vimesoft Inc."],"content_html":"\u003cp\u003eA critical authentication bypass vulnerability, identified as CVE-2026-12692, has been discovered in Vimesoft Inc.'s Enterprise Video Platform. This flaw, present in versions ranging from 3.11.0.0 through to 3.24.9 (before 3.25.0), allows an unauthenticated attacker to change user passwords without prior verification. The vulnerability stems from an \u0026quot;Unverified Password Change\u0026quot; (CWE-620) mechanism, enabling malicious actors to reset or set new passwords for existing user accounts without requiring the current password or a secure token. Successful exploitation grants attackers complete unauthorized access to affected user accounts and the entire video platform, posing a severe risk to data integrity, confidentiality, and system availability. This vulnerability carries a CVSS v3.1 base score of 9.8, indicating its critical severity and ease of exploitation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a vulnerable Vimesoft Inc. Enterprise Video Platform instance running a version between 3.11.0.0 and 3.24.9.\u003c/li\u003e\n\u003cli\u003eThe attacker targets a valid user account on the platform, whose username or email address is known or can be enumerated.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts and sends a specific HTTP request to the platform's password reset or password change endpoint for the target user.\u003c/li\u003e\n\u003cli\u003eDue to the \u0026quot;Unverified Password Change\u0026quot; vulnerability (CVE-2026-12692), the platform processes this request and updates the target user's password without validating the user's identity or requiring the old password/a secure reset token.\u003c/li\u003e\n\u003cli\u003eThe platform responds, indicating the password change was successful, or provides an error message that can be used for further enumeration.\u003c/li\u003e\n\u003cli\u003eThe attacker then uses the target user's username and the newly set password to log into the Vimesoft Enterprise Video Platform.\u003c/li\u003e\n\u003cli\u003eThe attacker gains full unauthorized access to the compromised user's account and all associated platform functionalities and data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-12692 results in complete compromise of user accounts within the Vimesoft Enterprise Video Platform. Attackers can gain unauthorized access to sensitive video content, user data, and administrative functions, depending on the privileges of the compromised account. This can lead to data exfiltration, modification, or deletion of critical information, disruption of video services, and potential defacement of the platform. The broad range of affected versions indicates a significant potential victim base. For organizations using the vulnerable platform, the impact could include severe reputational damage, regulatory penalties for data breaches, and operational disruption.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch CVE-2026-12692 immediately by updating Vimesoft Enterprise Video Platform to version 3.25.0 or later to remediate the unverified password change vulnerability.\u003c/li\u003e\n\u003cli\u003eMonitor web server access logs for repeated or unusual password change requests, especially those originating from unexpected IP addresses or associated with administrative accounts.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all user accounts, particularly those with elevated privileges, to add an additional layer of security against compromised credentials.\u003c/li\u003e\n\u003cli\u003eConduct regular security audits and penetration tests on Vimesoft Enterprise Video Platform instances to identify and address similar authentication bypass vulnerabilities.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-17T17:20:18Z","date_published":"2026-07-17T17:18:34Z","id":"https://feed.craftedsignal.io/briefs/2026-07-unverified-password-change-vimesoft/","summary":"An unverified password change vulnerability (CVE-2026-12692) exists in Vimesoft Inc.'s Enterprise Video Platform, affecting versions from 3.11.0.0 up to, but not including, 3.25.0, which allows an attacker to bypass authentication mechanisms, potentially leading to unauthorized access to the platform by changing user passwords without proper verification.","title":"CVE-2026-12692: Unverified Password Change Vulnerability in Vimesoft Enterprise Video Platform","url":"https://feed.craftedsignal.io/briefs/2026-07-unverified-password-change-vimesoft/"}],"language":"en","title":"CraftedSignal Threat Feed - Enterprise Video Platform (From 3.11.0.0 Before 3.25.0)","version":"https://jsonfeed.org/version/1.1"}