{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-30777", "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "state": "PUBLISHED", "assignerShortName": "jpcert", "dateReserved": "2026-03-04T22:26:32.318Z", "datePublished": "2026-03-05T05:31:35.025Z", "dateUpdated": "2026-03-06T18:19:20.427Z"}, "containers": {"cna": {"affected": [{"vendor": "EC-CUBE CO.,LTD.", "product": "EC-CUBE 4.1 series", "versions": [{"version": "prior to 4.1.2-p5", "status": "affected"}]}, {"vendor": "EC-CUBE CO.,LTD.", "product": "EC-CUBE 4.2 series", "versions": [{"version": "prior to 4.2.3-p2", "status": "affected"}]}, {"vendor": "EC-CUBE CO.,LTD.", "product": "EC-CUBE 4.3 series", "versions": [{"version": "prior to 4.3.1-p1", "status": "affected"}]}], "descriptions": [{"lang": "en", "value": "EC-CUBE provided by EC-CUBE CO.,LTD. contains a multi-factor authentication (MFA) bypass vulnerability. An attacker who has obtained a valid administrator ID and password may be able to bypass two-factor authentication and gain unauthorized access to the administrative page."}], "problemTypes": [{"descriptions": [{"description": "Authentication Bypass Using an Alternate Path or Channel", "lang": "en-US", "cweId": "CWE-288", "type": "CWE"}]}], "references": [{"url": "https://www.ec-cube.net/info/weakness/20260209/index.php"}, {"url": "https://jvn.jp/en/jp/JVN63765888/"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en-US", "value": "GENERAL"}], "cvssV3_0": {"version": "3.0", "baseSeverity": "MEDIUM", "baseScore": 4.9, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N"}}, {"format": "CVSS", "scenarios": [{"lang": "en-US", "value": "GENERAL"}], "cvssV4_0": {"version": "4.0", "baseSeverity": "MEDIUM", "baseScore": 6.9, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"}}], "providerMetadata": {"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "shortName": "jpcert", "dateUpdated": "2026-03-05T05:31:35.025Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-06T18:19:14.257150Z", "id": "CVE-2026-30777", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-06T18:19:20.427Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-30777", "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "state": "PUBLISHED", "assignerShortName": "jpcert", "dateReserved": "2026-03-04T22:26:32.318Z", "datePublished": "2026-03-05T05:31:35.025Z", "dateUpdated": "2026-03-06T18:19:20.427Z"}, "containers": {"cna": {"affected": [{"vendor": "EC-CUBE CO.,LTD.", "product": "EC-CUBE 4.1 series", "versions": [{"version": "prior to 4.1.2-p5", "status": "affected"}]}, {"vendor": "EC-CUBE CO.,LTD.", "product": "EC-CUBE 4.2 series", "versions": [{"version": "prior to 4.2.3-p2", "status": "affected"}]}, {"vendor": "EC-CUBE CO.,LTD.", "product": "EC-CUBE 4.3 series", "versions": [{"version": "prior to 4.3.1-p1", "status": "affected"}]}], "descriptions": [{"lang": "en", "value": "EC-CUBE provided by EC-CUBE CO.,LTD. contains a multi-factor authentication (MFA) bypass vulnerability. An attacker who has obtained a valid administrator ID and password may be able to bypass two-factor authentication and gain unauthorized access to the administrative page."}], "problemTypes": [{"descriptions": [{"description": "Authentication Bypass Using an Alternate Path or Channel", "lang": "en-US", "cweId": "CWE-288", "type": "CWE"}]}], "references": [{"url": "https://www.ec-cube.net/info/weakness/20260209/index.php"}, {"url": "https://jvn.jp/en/jp/JVN63765888/"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en-US", "value": "GENERAL"}], "cvssV3_0": {"version": "3.0", "baseSeverity": "MEDIUM", "baseScore": 4.9, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N"}}, {"format": "CVSS", "scenarios": [{"lang": "en-US", "value": "GENERAL"}], "cvssV4_0": {"version": "4.0", "baseSeverity": "MEDIUM", "baseScore": 6.9, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"}}], "providerMetadata": {"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "shortName": "jpcert", "dateUpdated": "2026-03-05T05:31:35.025Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-30777", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-06T18:19:14.257150Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-06T18:19:17.117Z"}}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ec-cube:ec-cube:*:-:*:*:*:*:*:*", "matchCriteriaId": "36FC4D31-98F5-4B83-A403-68A08A18C288", "versionEndExcluding": "4.1.2", "versionStartIncluding": "4.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:ec-cube:ec-cube:*:-:*:*:*:*:*:*", "matchCriteriaId": "6601BE42-8CFC-49D1-ACB5-CD5711C72DA5", "versionEndExcluding": "4.2.3", "versionStartIncluding": "4.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:ec-cube:ec-cube:*:-:*:*:*:*:*:*", "matchCriteriaId": "91B2FF2A-AD86-4B83-BCC6-64CEB5FED16B", "versionEndExcluding": "4.3.1", "versionStartIncluding": "4.3.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:ec-cube:ec-cube:4.1.2:-:*:*:*:*:*:*", "matchCriteriaId": "390C4F1F-9574-423C-A6FC-41945EE72A97", "vulnerable": true}, {"criteria": "cpe:2.3:a:ec-cube:ec-cube:4.1.2:p1:*:*:*:*:*:*", "matchCriteriaId": "77DCDC1E-072D-4859-AD9D-1F1547A5C7BB", "vulnerable": true}, {"criteria": "cpe:2.3:a:ec-cube:ec-cube:4.1.2:p2:*:*:*:*:*:*", "matchCriteriaId": "833340A1-0C34-4FE6-9820-CBCA7F3DC96C", "vulnerable": true}, {"criteria": "cpe:2.3:a:ec-cube:ec-cube:4.1.2:p3:*:*:*:*:*:*", "matchCriteriaId": "B3445AF5-EB3D-4E12-A443-7938B8D6283A", "vulnerable": true}, {"criteria": "cpe:2.3:a:ec-cube:ec-cube:4.1.2:p4:*:*:*:*:*:*", "matchCriteriaId": "8379929D-BC61-46EF-AA01-5154FBEFF658", "vulnerable": true}, {"criteria": "cpe:2.3:a:ec-cube:ec-cube:4.2.3:-:*:*:*:*:*:*", "matchCriteriaId": "D2FE8135-3653-4460-AC7F-ED95C184F89F", "vulnerable": true}, {"criteria": "cpe:2.3:a:ec-cube:ec-cube:4.2.3:p1:*:*:*:*:*:*", "matchCriteriaId": "67D9B2DD-2498-465A-B85A-56EB5A8A13AC", "vulnerable": true}, {"criteria": "cpe:2.3:a:ec-cube:ec-cube:4.3.1:-:*:*:*:*:*:*", "matchCriteriaId": "61BF3F86-DD59-4F48-B4CC-E637699F0638", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "EC-CUBE provided by EC-CUBE CO.,LTD. contains a multi-factor authentication (MFA) bypass vulnerability. An attacker who has obtained a valid administrator ID and password may be able to bypass two-factor authentication and gain unauthorized access to the administrative page."}, {"lang": "es", "value": "EC-CUBE proporcionado por EC-CUBE CO.,LTD. contiene una vulnerabilidad de omisi\u00f3n de autenticaci\u00f3n multifactor (MFA). Un atacante que ha obtenido un ID y contrase\u00f1a de administrador v\u00e1lidos podr\u00eda ser capaz de omitir la autenticaci\u00f3n de dos factores y obtener acceso no autorizado a la p\u00e1gina administrativa."}], "id": "CVE-2026-30777", "lastModified": "2026-03-09T18:34:56.787", "metrics": {"cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N", "version": "3.0"}, "exploitabilityScore": 1.2, "impactScore": 3.6, "source": "vultures@jpcert.or.jp", "type": "Secondary"}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.9, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "vultures@jpcert.or.jp", "type": "Secondary"}]}, "published": "2026-03-05T06:16:51.997", "references": [{"source": "vultures@jpcert.or.jp", "tags": ["Third Party Advisory"], "url": "https://jvn.jp/en/jp/JVN63765888/"}, {"source": "vultures@jpcert.or.jp", "tags": ["Patch", "Vendor Advisory"], "url": "https://www.ec-cube.net/info/weakness/20260209/index.php"}], "sourceIdentifier": "vultures@jpcert.or.jp", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-288"}], "source": "vultures@jpcert.or.jp", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,4.1.2-p5)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "EC-CUBE 4.1 series", "source": "cna", "vendor": "EC-CUBE CO.,LTD."}, "product": "ec-cube_4.1_series", "vendor": "ec-cube"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,4.2.3-p2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "EC-CUBE 4.2 series", "source": "cna", "vendor": "EC-CUBE CO.,LTD."}, "product": "ec-cube_4.2_series", "vendor": "ec-cube"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,4.3.1-p1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "EC-CUBE 4.3 series", "source": "cna", "vendor": "EC-CUBE CO.,LTD."}, "product": "ec-cube_4.3_series", "vendor": "ec-cube"}], "analysis": {"en": {"generated_at": "2026-04-16T12:56:31.730113+00:00", "value": {"mitigation_remediation": ["Apply the vendor\u2011provided security update for the affected EC\u2011Cube releases (4.1.2, 4.2.3, or 4.3.1) as detailed in the EC\u2011Cube advisory.", "After applying the patch, review the MFA configuration to ensure that the second factor cannot be overridden, and enforce a strictly validated second factor such as a time\u2011based one\u2011time password.", "Rotate all administrator account passwords immediately after patching and enforce a password policy that requires strong, unique credentials for each admin account.", "Continuously monitor administrator activity logs for anomalous access patterns and investigate any suspicious events promptly."], "summary": {"action": "Immediate Patch", "impact": "Bypass of two\u2011factor authentication leading to unauthorized administrative access"}, "threat_synthesis": {"affected_systems": "The vulnerability is present in EC\u2011Cube 4.1 series (specifically 4.1.2 and its patch releases p1\u2011p4), EC\u2011Cube 4.2 series (4.2.3 and its p1 patch), and EC\u2011Cube 4.3 series (4.3.1). These versions are distributed by EC\u2011Cube Co.,Ltd. Users running any of these releases are at risk.", "description_and_impact": "EC\u2011Cube includes a vulnerability that allows a multi\u2011factor authentication bypass. An attacker who has already obtained a valid administrator ID and password can circumvent the second authentication factor and gain unrestricted access to the administrative interface. This flaw essentially turns a multi\u2011factor protected account into a single\u2011factor one, enabling full administrative control for an attacker without any additional privileged credentials.", "risk_and_exploitability": "The CVSS score of 6.9 categorises the problem as moderate severity. The EPSS score of less than 1 percent indicates a very low exploitation probability, and the issue is not listed in the CISA KEV catalog. The likely attack vector requires an attacker to first acquire administrator credentials, which could be achieved through credential theft, social engineering, or other means. Once credentials are in hand, the attacker can exploit the MFA bypass remotely, capitalising on the flawed authentication logic described by the vendor advisory."}}}}, "created": "2026-03-06T15:17:48.068341+00:00", "title": "Multi\u2011Factor Authentication Bypass in EC\u2011Cube Administrator Login", "updated": "2026-04-16T13:00:11.088100+00:00", "vendors": ["ec-cube", "ec-cube$PRODUCT$ec-cube_4.1_series", "ec-cube$PRODUCT$ec-cube_4.2_series", "ec-cube$PRODUCT$ec-cube_4.3_series"]}