CVE-2025-8855 - Vulnerability Details - OpenCVE

Authorization Bypass Through User-Controlled Key, Weak Password Recovery Mechanism for Forgotten Password, Authentication Bypass by Assumed-Immutable Data vulnerability in Optimus Software Brokerage Automation allows Exploiting Trust in Client, Authentication Bypass, Manipulate Registry Information.This issue affects Brokerage Automation: before 1.1.71.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Exploitation none

Automatable no

Technical Impact total

No data.

No data.

No data.

No data.

Advisories

No advisories yet.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://www.usom.gov.tr/bildirim/tr-25-0396

History

Fri, 14 Nov 2025 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Fri, 14 Nov 2025 13:00:00 +0000

Type	Values Removed	Values Added
Description		Authorization Bypass Through User-Controlled Key, Weak Password Recovery Mechanism for Forgotten Password, Authentication Bypass by Assumed-Immutable Data vulnerability in Optimus Software Brokerage Automation allows Exploiting Trust in Client, Authentication Bypass, Manipulate Registry Information.This issue affects Brokerage Automation: before 1.1.71.
Title		2FA Expiry Bypass in Optimus Software's Brokerage Automation
Weaknesses		CWE-302 CWE-639 CWE-640
References		https://www.usom.gov.tr/bildirim/tr-25-0396
Metrics		cvssV3_1 `{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}`

MITRE

Status: PUBLISHED

Assigner: TR-CERT

Published: 2025-11-14T12:39:46.458Z

Updated: 2025-11-14T13:20:17.282Z

Reserved: 2025-08-11T07:47:10.546Z

Link: CVE-2025-8855

Vulnrichment

Updated: 2025-11-14T13:20:13.522Z

NVD

Status : Received

Published: 2025-11-14T13:15:45.337

Modified: 2025-11-14T13:15:45.337

Link: CVE-2025-8855

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-8855", "assignerOrgId": "ca940d4e-fea4-4aa2-9a58-591a58b1ce21", "state": "PUBLISHED", "assignerShortName": "TR-CERT", "dateReserved": "2025-08-11T07:47:10.546Z", "datePublished": "2025-11-14T12:39:46.458Z", "dateUpdated": "2025-11-14T13:20:17.282Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Brokerage Automation", "vendor": "Optimus Software", "versions": [{"lessThan": "1.1.71", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Can Nesimi ARI"}], "datePublic": "2025-11-14T12:31:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Authorization Bypass Through User-Controlled Key, Weak Password Recovery Mechanism for Forgotten Password, Authentication Bypass by Assumed-Immutable Data vulnerability in Optimus Software Brokerage Automation allows Exploiting Trust in Client, Authentication Bypass, Manipulate Registry Information.<p>This issue affects Brokerage Automation: before 1.1.71.</p>"}], "value": "Authorization Bypass Through User-Controlled Key, Weak Password Recovery Mechanism for Forgotten Password, Authentication Bypass by Assumed-Immutable Data vulnerability in Optimus Software Brokerage Automation allows Exploiting Trust in Client, Authentication Bypass, Manipulate Registry Information.This issue affects Brokerage Automation: before 1.1.71."}], "impacts": [{"capecId": "CAPEC-22", "descriptions": [{"lang": "en", "value": "CAPEC-22 Exploiting Trust in Client"}]}, {"capecId": "CAPEC-115", "descriptions": [{"lang": "en", "value": "CAPEC-115 Authentication Bypass"}]}, {"capecId": "CAPEC-203", "descriptions": [{"lang": "en", "value": "CAPEC-203 Manipulate Registry Information"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-639", "description": "CWE-639 Authorization Bypass Through User-Controlled Key", "lang": "en", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-640", "description": "CWE-640 Weak Password Recovery Mechanism for Forgotten Password", "lang": "en", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-302", "description": "CWE-302 Authentication Bypass by Assumed-Immutable Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "ca940d4e-fea4-4aa2-9a58-591a58b1ce21", "shortName": "TR-CERT", "dateUpdated": "2025-11-14T12:39:46.458Z"}, "references": [{"url": "https://www.usom.gov.tr/bildirim/tr-25-0396"}], "source": {"advisory": "TR-25-0396", "defect": ["TR-25-0396"], "discovery": "UNKNOWN"}, "title": "2FA Expiry Bypass in Optimus Software's Brokerage Automation", "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-11-14T13:20:09.506876Z", "id": "CVE-2025-8855", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-14T13:20:17.282Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-8855", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-11-14T13:20:09.506876Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-14T13:20:13.522Z"}}], "cna": {"title": "2FA Expiry Bypass in Optimus Software's Brokerage Automation", "source": {"defect": ["TR-25-0396"], "advisory": "TR-25-0396", "discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Can Nesimi ARI"}], "impacts": [{"capecId": "CAPEC-22", "descriptions": [{"lang": "en", "value": "CAPEC-22 Exploiting Trust in Client"}]}, {"capecId": "CAPEC-115", "descriptions": [{"lang": "en", "value": "CAPEC-115 Authentication Bypass"}]}, {"capecId": "CAPEC-203", "descriptions": [{"lang": "en", "value": "CAPEC-203 Manipulate Registry Information"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Optimus Software", "product": "Brokerage Automation", "versions": [{"status": "affected", "version": "0", "lessThan": "1.1.71", "versionType": "custom"}], "defaultStatus": "unaffected"}], "datePublic": "2025-11-14T12:31:00.000Z", "references": [{"url": "https://www.usom.gov.tr/bildirim/tr-25-0396"}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "Authorization Bypass Through User-Controlled Key, Weak Password Recovery Mechanism for Forgotten Password, Authentication Bypass by Assumed-Immutable Data vulnerability in Optimus Software Brokerage Automation allows Exploiting Trust in Client, Authentication Bypass, Manipulate Registry Information.This issue affects Brokerage Automation: before 1.1.71.", "supportingMedia": [{"type": "text/html", "value": "Authorization Bypass Through User-Controlled Key, Weak Password Recovery Mechanism for Forgotten Password, Authentication Bypass by Assumed-Immutable Data vulnerability in Optimus Software Brokerage Automation allows Exploiting Trust in Client, Authentication Bypass, Manipulate Registry Information.<p>This issue affects Brokerage Automation: before 1.1.71.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-639", "description": "CWE-639 Authorization Bypass Through User-Controlled Key"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-640", "description": "CWE-640 Weak Password Recovery Mechanism for Forgotten Password"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-302", "description": "CWE-302 Authentication Bypass by Assumed-Immutable Data"}]}], "providerMetadata": {"orgId": "ca940d4e-fea4-4aa2-9a58-591a58b1ce21", "shortName": "TR-CERT", "dateUpdated": "2025-11-14T12:39:46.458Z"}}}, "cveMetadata": {"cveId": "CVE-2025-8855", "state": "PUBLISHED", "dateUpdated": "2025-11-14T13:20:17.282Z", "dateReserved": "2025-08-11T07:47:10.546Z", "assignerOrgId": "ca940d4e-fea4-4aa2-9a58-591a58b1ce21", "datePublished": "2025-11-14T12:39:46.458Z", "assignerShortName": "TR-CERT"}, "dataVersion": "5.2"}