Description
A missing authentication for critical function vulnerability in the /servlet/baServer3 endpoint of Interinfo DreamMaker versions before 2025/10/22 allows remote attackers to access exposed administrative functionality without prior authentication.
Published: 2026-01-30
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Administrative Access
Action: Patch Immediately
AI Analysis

Impact

A missing authentication check in the /servlet/baServer3 endpoint of Interinfo DreamMaker allows remote attackers to invoke critical administrative functions without any prior login. This flaw can lead to full administrator privileges, enabling the attacker to modify configurations, access sensitive data, or take control of the system, as reflected in the 9.3 CVSS score and its classification under CWE-306.

Affected Systems

Internet Information Co., Ltd DreamMaker versions released before 2025‑10‑22 are affected. Any deployment of these versions is vulnerable until a patch or workaround is applied.

Risk and Exploitability

The vulnerability carries a high severity CVSS score of 9.3 but has an extremely low EPSS probability (< 1%). It is not listed in the CISA KEV catalog, indicating no publicly known exploits at the time of reporting. The likely attack vector is remote network access to the vulnerable HTTP endpoint, where an attacker can send crafted requests to exploit the missing authentication guard.

Generated by OpenCVE AI on April 18, 2026 at 01:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a patch or release issued after 2025‑10‑22 that fixes the missing authentication flaw.
  • If an immediate upgrade is not feasible, restrict network reach to the /servlet/baServer3 endpoint to trusted IP addresses or internal networks only.
  • Implement web application firewall rules or intrusion detection signatures to block or alert on unauthorized access attempts to the vulnerable endpoint.

Generated by OpenCVE AI on April 18, 2026 at 01:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://zuso.ai/advisory/za-2026-01 cve-icon cve-icon
History

Fri, 30 Jan 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 30 Jan 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Interinfo
Interinfo dreammaker
Vendors & Products Interinfo
Interinfo dreammaker

Fri, 30 Jan 2026 04:30:00 +0000

Type Values Removed Values Added
Description A missing authentication for critical function vulnerability in the /servlet/baServer3 endpoint of Interinfo DreamMaker versions before 2025/10/22 allows remote attackers to access exposed administrative functionality without prior authentication.
Title Interinfo DreamMaker - Missing Authentication for Critical Function
Weaknesses CWE-306
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Interinfo Dreammaker
cve-icon MITRE

Status: PUBLISHED

Assigner: ZUSO ART

Published:

Updated: 2026-01-30T18:19:12.243Z

Reserved: 2026-01-26T07:42:53.160Z

Link: CVE-2026-24728

cve-icon Vulnrichment

Updated: 2026-01-30T18:19:08.188Z

cve-icon NVD

Status : Deferred

Published: 2026-01-30T05:16:33.347

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-24728

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T01:15:05Z

Weaknesses