{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2025-56015", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-04-09T14:13:14.874Z", "dateReserved": "2025-08-16T00:00:00.000Z", "datePublished": "2026-04-07T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-07T19:20:28.344Z"}, "descriptions": [{"lang": "en", "value": "In GenieACS 1.2.13, an unauthenticated access vulnerability exists in the NBI API endpoint."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/genieacs/genieacs/"}, {"url": "https://github.com/e1st/CVE-2025-56015"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-284", "lang": "en", "description": "CWE-284 Improper Access Control"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-09T14:10:39.278930Z", "id": "CVE-2025-56015", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-09T14:13:14.874Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-56015", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-09T14:10:39.278930Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-284", "description": "CWE-284 Improper Access Control"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-09T14:13:09.355Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://github.com/genieacs/genieacs/"}, {"url": "https://github.com/e1st/CVE-2025-56015"}], "descriptions": [{"lang": "en", "value": "In GenieACS 1.2.13, an unauthenticated access vulnerability exists in the NBI API endpoint."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-07T19:20:28.344Z"}}}, "cveMetadata": {"cveId": "CVE-2025-56015", "state": "PUBLISHED", "dateUpdated": "2026-04-09T14:13:14.874Z", "dateReserved": "2025-08-16T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-04-07T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:genieacs:genieacs:1.2.13:*:*:*:*:*:*:*", "matchCriteriaId": "941E4964-CBF1-4A75-A497-5B93DC9A0E25", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In GenieACS 1.2.13, an unauthenticated access vulnerability exists in the NBI API endpoint."}], "id": "CVE-2025-56015", "lastModified": "2026-04-10T19:02:30.893", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-07T20:16:22.790", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/e1st/CVE-2025-56015"}, {"source": "cve@mitre.org", "tags": ["Product"], "url": "https://github.com/genieacs/genieacs/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.2.13"}}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "genieacs", "vendor": "genieacs"}], "analysis": {"en": {"generated_at": "2026-04-10T20:31:39.657691+00:00", "value": {"mitigation_remediation": ["Upgrade GenieACS to a version that addresses the unauthenticated NBI API access issue.", "If an upgrade is not immediately possible, restrict access to the NBI API endpoint using firewall rules to allow only trusted networks.", "Alternatively, disable the NBI API or enforce authentication mechanisms on the API if supported."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized API access"}, "threat_synthesis": {"affected_systems": "GenieACS 1.2.13 is the only version listed as affected.", "description_and_impact": "The vulnerability is an unauthenticated access flaw in the NBI API endpoint of GenieACS 1.2.13. An attacker who can reach the endpoint can invoke any API call without needing credentials, potentially reading and changing device configurations, causing misconfigurations or interruptions. This flaw originates from improper enforcement of access control (CWE\u2011284) and can lead to confidentiality, integrity, and availability impacts across the managed network.", "risk_and_exploitability": "The flaw is rated high severity with a CVSS score of 7.5. The EPSS indicates that the probability of exploitation in the wild is currently below 1 percent, and the vulnerability is not listed in the CISA KEV catalog. An attacker only needs network connectivity to the NBI API endpoint; no authentication is required. Successful exploitation would allow remote control of the GenieACS server and any devices managed by it."}}}}, "created": "2026-04-08T19:38:37.597573+00:00", "title": "Unauthenticated Access to GenieACS NBI API Endpoint", "updated": "2026-04-13T14:27:29.210049+00:00", "vendors": ["genieacs", "genieacs$PRODUCT$genieacs"]}