CVE-2025-43983
Published: 14 August 2025
Summary
CVE-2025-43983 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Proton (inferred from references). Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 37.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).
Deeper analysis
CVE-2025-43983 is a set of multiple unauthenticated access control vulnerabilities, mapped to CWE-306 (Missing Authentication for Critical Function), affecting KuWFi CPF908-CP5 WEB5.0_LCD_20210125 devices. These flaws exist in the goform/goform_set_cmd_process and goform/goform_get_cmd_process endpoints, enabling attackers to bypass authentication entirely. The vulnerability carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N), indicating high confidentiality and integrity impacts with no availability disruption.
An unauthenticated attacker with network access can exploit these vulnerabilities remotely and with low complexity, requiring no privileges, privileges, privileges, privileges, privileges, privileges, privileges, privileges, privileges, privileges, privileges, privileges, privileges, privileges, privileges, privileges, privileges, privileges, privileges, privileges, privileges, privileges, privileges, privileges, privileges, privileges, privileges, privileges, privileges, privileges, privileges, privileges, privileges, privileges, privileges, privileges, privileges, privileges, privileges, privileges, privileges, privileges, privileges, privileges, privileges, privileges, privileges, privileges, privileges, privileges, privileges, privileges, privileges, privileges, privileges, privileges, privileges, privileges, privileges, privileges, privileges, privileges,
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-24812
Vulnerability details
KuWFi CPF908-CP5 WEB5.0_LCD_20210125 devices have multiple unauthenticated access control vulnerabilities within goform/goform_set_cmd_process and goform/goform_get_cmd_process. These allow an unauthenticated attacker to retrieve sensitive information (including the device admin username and password), modify critical device settings, and send arbitrary SMS messages.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated remote auth bypass on public web endpoints (goform) of network device directly enables initial access via exploitation of public-facing application.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces approved authorizations for access to system resources, directly preventing unauthenticated exploitation of goform endpoints for sensitive operations.
Limits permitted actions without identification or authentication to non-critical functions, addressing the missing authentication for critical goform_set_cmd_process and goform_get_cmd_process endpoints.
Requires identification and authentication for non-organizational users, mitigating remote unauthenticated access to retrieve credentials, modify settings, and send SMS.