Cyber Resilience

CVE-2026-4312

CriticalUpdated

Published: 17 March 2026

Published
17 March 2026
Modified
05 June 2026
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0045 35.8th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-4312 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Dragonsoft Gcb\/Fcb Government Financial Cybersecurity Configuration Audit Software. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 35.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-2 (Account Management).

Deeper analysis

CVE-2026-4312 is a Missing Authentication vulnerability (CWE-306) affecting GCB/FCB Audit Software developed by DrangSoft. Published on 2026-03-17, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its network accessibility, low complexity, and lack of prerequisites. The flaw enables unauthenticated remote attackers to directly access certain APIs without authentication.

Unauthenticated attackers with network access can exploit this vulnerability remotely and with low effort, requiring no privileges, user interaction, or special conditions. Successful exploitation allows attackers to create a new administrative account, potentially granting full control over the affected software, with high impacts on confidentiality, integrity, and availability.

Mitigation details are provided in advisories from TWCERT/CC, available at https://www.twcert.org.tw/en/cp-139-10785-2cafe-2.html and https://www.twcert.org.tw/tw/cp-132-10784-4f67d-1.html. Security practitioners should consult these references for patch information, workarounds, or configuration changes to address the issue.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

GCB/FCB Audit Software developed by DrangSoft has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to directly access certain APIs to create a new administrative account.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1136 Create Account Persistence
Adversaries may create an account to maintain access to victim systems.
Why these techniques?

Missing authentication in public-facing APIs enables exploitation of public-facing application (T1190) and creation of administrative accounts (T1136).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-4810Shared CWE-306
CVE-2026-2165Shared CWE-306
CVE-2025-53847Shared CWE-306
CVE-2025-61757Shared CWE-306
CVE-2025-68715Shared CWE-306
CVE-2026-21992Shared CWE-306
CVE-2025-26362Shared CWE-306
CVE-2026-48692Shared CWE-306
CVE-2022-50981Shared CWE-306
CVE-2025-58083Shared CWE-306

Affected Assets

dragonsoft
gcb\/fcb government financial cybersecurity configuration audit software
all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires organizations to limit and document permitted actions without identification or authentication, preventing unauthenticated access to APIs for creating administrative accounts.

prevent

Enforces approved authorizations for logical access to system resources, ensuring authentication is required for sensitive API endpoints exploited in this vulnerability.

prevent

Manages account creation processes to restrict administrative account provisioning to authorized entities only, blocking unauthorized admin account creation via unauthenticated APIs.

References