CVE-2026-25654

High

Published: 14 April 2026

Published

14 April 2026

Modified

17 April 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0005 15.5th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-25654 is a high-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 15.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-2 (Account Management).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match

prevent

Enforces approved authorizations for logical access to system resources, directly preventing authorization bypass during password reset requests.

IA-5 Authenticator Management partial match

prevent

Manages authenticators including passwords with controls to protect against unauthorized issuance or changes like resets by low-privileged attackers.

AC-2 Account Management partial match

prevent

Establishes processes for account management that include secure handling and authorization of password resets to mitigate unauthorized account compromises.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

T1098 Account Manipulation Persistence

Adversaries may manipulate accounts to maintain and/or elevate access to victim systems.

attack.mitre.org →

Why these techniques?

The post-auth authorization bypass in password reset flows directly enables an attacker to perform unauthorized account password changes (T1098 Account Manipulation) and thereby escalate privileges by compromising higher-privileged accounts (T1068 Exploitation for Privilege Escalation).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

A vulnerability has been identified in SINEC NMS (All versions < V4.0 SP3). Affected products do not properly validate user authorization when processing password reset requests. This could allow an authenticated remote attacker to bypass authorization checks, leading to the…

ability to reset the password of any arbitrary user account.

Deeper analysisAI

CVE-2026-25654 affects SINEC NMS in all versions prior to V4.0 SP3. The vulnerability stems from improper validation of user authorization when processing password reset requests, enabling an authorization bypass as classified under CWE-639. This flaw has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant confidentiality, integrity, and availability impacts.

An authenticated remote attacker with low privileges (PR:L) can exploit this vulnerability over the network (AV:N) with low attack complexity (AC:L) and no user interaction required (UI:N). Exploitation allows the attacker to bypass authorization checks and reset the password of any arbitrary user account, potentially leading to full compromise of targeted accounts.

Siemens security advisory SSA-605717, available at https://cert-portal.siemens.com/productcert/html/ssa-605717.html, details the vulnerability and affected products. Mitigation requires updating to SINEC NMS V4.0 SP3 or later versions where the authorization validation issue has been addressed.