{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2025-56015", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-04-09T14:13:14.874Z", "dateReserved": "2025-08-16T00:00:00.000Z", "datePublished": "2026-04-07T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-07T19:20:28.344Z"}, "descriptions": [{"lang": "en", "value": "In GenieACS 1.2.13, an unauthenticated access vulnerability exists in the NBI API endpoint."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/genieacs/genieacs/"}, {"url": "https://github.com/e1st/CVE-2025-56015"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-284", "lang": "en", "description": "CWE-284 Improper Access Control"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-09T14:10:39.278930Z", "id": "CVE-2025-56015", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-09T14:13:14.874Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-56015", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-09T14:10:39.278930Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-284", "description": "CWE-284 Improper Access Control"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-09T14:13:09.355Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://github.com/genieacs/genieacs/"}, {"url": "https://github.com/e1st/CVE-2025-56015"}], "descriptions": [{"lang": "en", "value": "In GenieACS 1.2.13, an unauthenticated access vulnerability exists in the NBI API endpoint."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-07T19:20:28.344Z"}}}, "cveMetadata": {"cveId": "CVE-2025-56015", "state": "PUBLISHED", "dateUpdated": "2026-04-09T14:13:14.874Z", "dateReserved": "2025-08-16T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-04-07T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In GenieACS 1.2.13, an unauthenticated access vulnerability exists in the NBI API endpoint."}], "id": "CVE-2025-56015", "lastModified": "2026-04-09T15:16:08.330", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-07T20:16:22.790", "references": [{"source": "cve@mitre.org", "url": "https://github.com/e1st/CVE-2025-56015"}, {"source": "cve@mitre.org", "url": "https://github.com/genieacs/genieacs/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.2.13"}}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "genieacs", "vendor": "genieacs"}], "analysis": {"en": {"generated_at": "2026-04-07T21:29:06.130412+00:00", "value": {"mitigation_remediation": ["Upgrade GenieACS to the latest release, which removes the unauthenticated access issue.", "If an upgrade is not immediately feasible, block external traffic to the NBI API endpoint using firewall rules or disable the API service altogether.", "Regularly audit API access logs for suspicious activity and apply network segmentation to limit exposure of the management interface."], "summary": {"action": "Apply patch", "impact": "Unauthenticated access to GenieACS NBI API endpoint"}, "threat_synthesis": {"affected_systems": "The flaw affects systems running GenieACS 1.2.13. Any deployment where the API endpoint is exposed to an external network and no additional authentication measures are in place is susceptible.", "description_and_impact": "An unauthenticated access flaw in the NBI API endpoint of GenieACS version 1.2.13 enables an attacker to communicate with the API without providing valid credentials. This vulnerability reflects improper access control (CWE\u2011284) and could allow the attacker to view or modify configuration data, potentially leading to unauthorized network management actions.", "risk_and_exploitability": "No CVSS score is available, and the EPSS score is not listed, making it difficult to quantify the precise attack likelihood. The vulnerability is not cataloged in the CISA KEV database. Because the flaw permits unauthenticated interaction with a RESTful API, an attacker could exploit it if the service is reachable over the internet or a trusted local network. No specific prerequisites beyond network connectivity to the endpoint are required, making the scenario relatively low effort for a determined adversary."}}}}, "created": "2026-04-08T19:38:37.597573+00:00", "title": "Unauthenticated Access to GenieACS NBI API Endpoint", "updated": "2026-04-08T19:50:26.958126+00:00", "vendors": ["genieacs", "genieacs$PRODUCT$genieacs"], "weaknesses": ["CWE-284"]}