CVE-2025-12871 | The a+HRD developed by aEnrich has an Authentication Abuse v… | CVSS 9.8 CRITICAL

Description

The a+HRD developed by aEnrich has an Authentication Abuse vulnerability, allowing unauthenticated remote attackers to craft administrator access tokens and use them to access the system with elevated privileges.

Metadata

CVE ID: CVE-2025-12871
State: PUBLISHED
Assigner: twcert
Reserved: 2025-11-07 11:10 UTC
Published: 2025-11-12 07:38 UTC
Last updated: 2025-11-12 17:01 UTC
Primary CWE: CWE-1390
CWE-1390 Weak Authentication
Vendor / Product: aEnrich / a+HRD
Sources: cve.org · NVD

Severity & Metrics

9.8 CRITICAL CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

SSVC — CISA Coordinator

Exploitation: none
Automatable: yes
Tech. Impact: total

Affected products (1)

Vendor	Product	Platform	Versions
aEnrich	a+HRD	—	0 ≤ 7.5

Weakness (CWE)

CWE	Source	Description
CWE-1390	cna	CWE-1390 Weak Authentication

CVSS scores (2)

Score	Severity	Version	Source	Vector
9.8	CRITICAL	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.3	CRITICAL	4.0	cna	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References (2)