CVE-2025-32440 | NetAlertX is a network, presence scanner and alert framework… | CVSS 10.0 CRITICAL

Description

NetAlertX is a network, presence scanner and alert framework. Prior to version 25.4.14, it is possible to bypass the authentication mechanism of NetAlertX to update settings without authentication. An attacker can trigger sensitive functions within util.php by sending crafted requests to /index.php. This issue has been patched in version 25.4.14.

Metadata

CVE ID: CVE-2025-32440
State: PUBLISHED
Assigner: GitHub_M
Reserved: 2025-04-08 10:54 UTC
Published: 2025-05-27 21:59 UTC
Last updated: 2025-05-28 13:45 UTC
Primary CWE: CWE-306
CWE-306: Missing Authentication for Critical Function
Vendor / Product: jokob-sk / NetAlertX
Sources: cve.org · NVD

Severity & Metrics

10.0 CRITICAL CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

SSVC — CISA Coordinator

Exploitation: PoC
Automatable: yes
Tech. Impact: total

Affected products (1)

Vendor	Product	Platform	Versions
jokob-sk	NetAlertX	—	< 25.4.14

Weakness (CWE)

CWE	Source	Description
CWE-306	cna	CWE-306: Missing Authentication for Critical Function

CVSS scores (1)

Score	Severity	Version	Source	Vector
10.0	CRITICAL	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

References (2)

https://github.com/jokob-sk/NetAlertX/security/advisories/GHSA-h4x5-vr54-vjrx https://github.com/jokob-sk/NetAlertX/security/advisories/GHSA-h4x5-vr54-vjrx
https://github.com/jokob-sk/NetAlertX/releases/tag/v25.4.14 https://github.com/jokob-sk/NetAlertX/releases/tag/v25.4.14