Description
In GenieACS 1.2.13, an unauthenticated access vulnerability exists in the NBI API endpoint.
Published: 2026-04-07
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized API access
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is an unauthenticated access flaw in the NBI API endpoint of GenieACS 1.2.13. An attacker who can reach the endpoint can invoke any API call without needing credentials, potentially reading and changing device configurations, causing misconfigurations or interruptions. This flaw originates from improper enforcement of access control (CWE‑284) and can lead to confidentiality, integrity, and availability impacts across the managed network.

Affected Systems

GenieACS 1.2.13 is the only version listed as affected.

Risk and Exploitability

The flaw is rated high severity with a CVSS score of 7.5. The EPSS indicates that the probability of exploitation in the wild is currently below 1 percent, and the vulnerability is not listed in the CISA KEV catalog. An attacker only needs network connectivity to the NBI API endpoint; no authentication is required. Successful exploitation would allow remote control of the GenieACS server and any devices managed by it.

Generated by OpenCVE AI on April 10, 2026 at 20:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade GenieACS to a version that addresses the unauthenticated NBI API access issue.
  • If an upgrade is not immediately possible, restrict access to the NBI API endpoint using firewall rules to allow only trusted networks.
  • Alternatively, disable the NBI API or enforce authentication mechanisms on the API if supported.

Generated by OpenCVE AI on April 10, 2026 at 20:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-2h6j-mhcp-9j9h GenieACS has an unauthenticated access vulnerability via the NBI API endpoint
History

Mon, 13 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
Title Unauthenticated Access to GenieACS NBI API Endpoint

Fri, 10 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:genieacs:genieacs:1.2.13:*:*:*:*:*:*:*

Fri, 10 Apr 2026 10:00:00 +0000

Type Values Removed Values Added
Title Unauthenticated Access to GenieACS NBI API Endpoint

Thu, 09 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Title Unauthenticated Access to GenieACS NBI API Endpoint
First Time appeared Genieacs
Genieacs genieacs
Weaknesses CWE-284
Vendors & Products Genieacs
Genieacs genieacs

Tue, 07 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
Description In GenieACS 1.2.13, an unauthenticated access vulnerability exists in the NBI API endpoint.
References

Subscriptions

Genieacs Genieacs
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-09T14:13:14.874Z

Reserved: 2025-08-16T00:00:00.000Z

Link: CVE-2025-56015

cve-icon Vulnrichment

Updated: 2026-04-09T14:13:09.355Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-07T20:16:22.790

Modified: 2026-04-10T19:02:30.893

Link: CVE-2025-56015

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-13T14:27:29Z

Weaknesses