CVE-2026-2540
Published: 15 February 2026
Summary
CVE-2026-2540 is a high-severity Authentication Bypass Using an Alternate Path or Channel (CWE-288) vulnerability in Asrg (inferred from references). Its CVSS base score is 8.4 (High).
Operationally, ranked at the 10.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-5831
Vulnerability details
The Micca KE700 system contains flawed resynchronization logic and is vulnerable to replay attacks. This attack requires sending two previously captured codes in a specific sequence. As a result, the system can be forced to accept previously used (stale) rolling…
more
codes and execute a command. Successful exploitation allows an attacker to clone the alarm key. This grants the attacker unauthorized access to the vehicle to unlock or lock the doors.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Insufficient information to map techniques.Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Users can identify logons via alternate paths or channels by reviewing the previous logon time.
Authorizing remote access reduces the ability to bypass authentication via unauthorized alternate remote channels.
Adaptive requirements can apply across access paths, reducing the ability to bypass authentication via alternate channels or paths.
Centralized IdPs close alternate authentication paths that enable bypass.
Enforces authentication for non-organizational users, making it harder to bypass via alternate paths or channels.
Requires authentication to occur exclusively over the isolated trusted path, directly preventing bypass via alternate or untrusted channels.
Protects against replay of captured session tokens or credentials by requiring authenticated, fresh session channels.
Wireless link protections commonly incorporate replay protection, reducing the exploitability of capture-replay weaknesses.