Cyber Resilience

CVE-2025-43983

Critical

Published: 14 August 2025

Published
14 August 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0042 62.5th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-43983 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Proton (inferred from references). Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 37.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2025-43983 is a set of multiple unauthenticated access control vulnerabilities, mapped to CWE-306 (Missing Authentication for Critical Function), affecting KuWFi CPF908-CP5 WEB5.0_LCD_20210125 devices. These flaws exist in the goform/goform_set_cmd_process and goform/goform_get_cmd_process endpoints, enabling attackers to bypass authentication entirely. The vulnerability carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N), indicating high confidentiality and integrity impacts with no availability disruption.

An unauthenticated attacker with network access can exploit these vulnerabilities remotely and with low complexity, requiring no privileges, privileges, privileges, privileges, privileges, privileges, privileges, privileges, privileges, privileges, privileges, privileges, privileges, privileges, privileges, privileges, privileges, privileges, privileges, privileges, privileges, privileges, privileges, privileges, privileges, privileges, privileges, privileges, privileges, privileges, privileges, privileges, privileges, privileges, privileges, privileges, privileges, privileges, privileges, privileges, privileges, privileges, privileges, privileges, privileges, privileges, privileges, privileges, privileges, privileges, privileges, privileges, privileges, privileges, privileges, privileges, privileges, privileges, privileges, privileges, privileges, privileges,

EU & UK References

Vulnerability details

KuWFi CPF908-CP5 WEB5.0_LCD_20210125 devices have multiple unauthenticated access control vulnerabilities within goform/goform_set_cmd_process and goform/goform_get_cmd_process. These allow an unauthenticated attacker to retrieve sensitive information (including the device admin username and password), modify critical device settings, and send arbitrary SMS messages.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Unauthenticated remote auth bypass on public web endpoints (goform) of network device directly enables initial access via exploitation of public-facing application.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-21515Shared CWE-306
CVE-2025-57432Shared CWE-306
CVE-2026-27446Shared CWE-306
CVE-2026-21446Shared CWE-306
CVE-2021-47891Shared CWE-306
CVE-2025-41715Shared CWE-306
CVE-2026-24790Shared CWE-306
CVE-2025-21524Shared CWE-306
CVE-2025-53072Shared CWE-306
CVE-2025-40771Shared CWE-306

Affected Assets

Proton
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations for access to system resources, directly preventing unauthenticated exploitation of goform endpoints for sensitive operations.

prevent

Limits permitted actions without identification or authentication to non-critical functions, addressing the missing authentication for critical goform_set_cmd_process and goform_get_cmd_process endpoints.

prevent

Requires identification and authentication for non-organizational users, mitigating remote unauthenticated access to retrieve credentials, modify settings, and send SMS.

References