{"api_version":"1","generated_at":"2026-06-06T17:55:26+00:00","cve":"CVE-2025-2311","urls":{"html":"https://cve.report/CVE-2025-2311","api":"https://cve.report/api/cve/CVE-2025-2311.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2025-2311","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2025-2311"},"summary":{"title":"Authentication Bypass in Sechard Information Technologies' SecHard","description":"Incorrect Use of Privileged APIs, Cleartext Transmission of Sensitive Information, Insufficiently Protected Credentials vulnerability in Sechard Information Technologies SecHard allows Authentication Bypass, Interface Manipulation, Authentication Abuse, Harvesting Information via API Event Monitoring.\n\nThis issue affects SecHard: before 3.3.0.20220411.","state":"PUBLISHED","assigner":"TR-CERT","published_at":"2025-03-20 12:15:14","updated_at":"2026-06-06 08:16:51"},"problem_types":["CWE-319","CWE-522","CWE-648","CWE-648 CWE-648 Incorrect Use of Privileged APIs","CWE-319 CWE-319 Cleartext Transmission of Sensitive Information","CWE-522 CWE-522 Insufficiently Protected Credentials"],"metrics":[{"version":"3.1","source":"iletisim@usom.gov.tr","type":"Secondary","score":"9","severity":"CRITICAL","vector":"CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H","baseScore":9,"baseSeverity":"CRITICAL","attackVector":"ADJACENT_NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"}},{"version":"3.1","source":"CNA","type":"CVSS","score":"9","severity":"CRITICAL","vector":"CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H","data":{"attackComplexity":"LOW","attackVector":"ADJACENT_NETWORK","availabilityImpact":"HIGH","baseScore":9,"baseSeverity":"CRITICAL","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"LOW","scope":"CHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H","version":"3.1"}}],"references":[{"url":"https://www.usom.gov.tr/bildirim/tr-25-0074","name":"https://www.usom.gov.tr/bildirim/tr-25-0074","refsource":"iletisim@usom.gov.tr","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0074","name":"https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0074","refsource":"iletisim@usom.gov.tr","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2025-2311","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-2311","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Sechard Information Technologies","product":"SecHard","version":"affected 3.3.0.20220411 custom","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[{"source":"CNA","value":"Berat Ugur DEMIRKAN","lang":"en"},{"source":"CNA","value":"BG-TEK Cyber Security","lang":"en"}],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"other":{"content":{"id":"CVE-2025-2311","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"total"}],"role":"CISA Coordinator","timestamp":"2025-03-20T13:01:52.171386Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2025-03-20T13:05:28.736Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"defaultStatus":"unaffected","product":"SecHard","vendor":"Sechard Information Technologies","versions":[{"lessThan":"3.3.0.20220411","status":"affected","version":"0","versionType":"custom"}]}],"credits":[{"lang":"en","type":"finder","value":"Berat Ugur DEMIRKAN"},{"lang":"en","type":"sponsor","value":"BG-TEK Cyber Security"}],"descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"Incorrect Use of Privileged APIs, Cleartext Transmission of Sensitive Information, Insufficiently Protected Credentials vulnerability in Sechard Information Technologies SecHard allows Authentication Bypass, Interface Manipulation, Authentication Abuse, Harvesting Information via API Event Monitoring.<p>This issue affects SecHard: before 3.3.0.20220411.</p>"}],"value":"Incorrect Use of Privileged APIs, Cleartext Transmission of Sensitive Information, Insufficiently Protected Credentials vulnerability in Sechard Information Technologies SecHard allows Authentication Bypass, Interface Manipulation, Authentication Abuse, Harvesting Information via API Event Monitoring.\n\nThis issue affects SecHard: before 3.3.0.20220411."}],"impacts":[{"capecId":"CAPEC-115","descriptions":[{"lang":"en","value":"CAPEC-115 Authentication Bypass"}]},{"capecId":"CAPEC-113","descriptions":[{"lang":"en","value":"CAPEC-113 Interface Manipulation"}]},{"capecId":"CAPEC-114","descriptions":[{"lang":"en","value":"CAPEC-114 Authentication Abuse"}]},{"capecId":"CAPEC-383","descriptions":[{"lang":"en","value":"CAPEC-383 Harvesting Information via API Event Monitoring"}]}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"ADJACENT_NETWORK","availabilityImpact":"HIGH","baseScore":9,"baseSeverity":"CRITICAL","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"LOW","scope":"CHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H","version":"3.1"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-648","description":"CWE-648 Incorrect Use of Privileged APIs","lang":"en","type":"CWE"}]},{"descriptions":[{"cweId":"CWE-319","description":"CWE-319 Cleartext Transmission of Sensitive Information","lang":"en","type":"CWE"}]},{"descriptions":[{"cweId":"CWE-522","description":"CWE-522 Insufficiently Protected Credentials","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-06-06T06:14:52.819Z","orgId":"ca940d4e-fea4-4aa2-9a58-591a58b1ce21","shortName":"TR-CERT"},"references":[{"tags":["government-resource","broken-link"],"url":"https://www.usom.gov.tr/bildirim/tr-25-0074"},{"tags":["government-resource"],"url":"https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0074"}],"source":{"advisory":"TR-25-0074","defect":["TR-25-0074"],"discovery":"UNKNOWN"},"title":"Authentication Bypass in Sechard Information Technologies' SecHard","x_generator":{"engine":"Vulnogram 0.2.0"}}},"cveMetadata":{"assignerOrgId":"ca940d4e-fea4-4aa2-9a58-591a58b1ce21","assignerShortName":"TR-CERT","cveId":"CVE-2025-2311","datePublished":"2025-03-20T11:55:51.628Z","dateReserved":"2025-03-14T13:25:01.277Z","dateUpdated":"2026-06-06T06:14:52.819Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2025-03-20 12:15:14","lastModifiedDate":"2026-06-06 08:16:51","problem_types":["CWE-319","CWE-522","CWE-648","CWE-648 CWE-648 Incorrect Use of Privileged APIs","CWE-319 CWE-319 Cleartext Transmission of Sensitive Information","CWE-522 CWE-522 Insufficiently Protected Credentials"],"metrics":{"cvssMetricV31":[{"source":"iletisim@usom.gov.tr","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H","baseScore":9,"baseSeverity":"CRITICAL","attackVector":"ADJACENT_NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.3,"impactScore":6}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2025","CveId":"2311","Ordinal":"1","Title":"Authentication Bypass in Sechard Information Technologies' SecHa","CVE":"CVE-2025-2311","Year":"2025"},"notes":[{"CveYear":"2025","CveId":"2311","Ordinal":"1","NoteData":"Incorrect Use of Privileged APIs, Cleartext Transmission of Sensitive Information, Insufficiently Protected Credentials vulnerability in Sechard Information Technologies SecHard allows Authentication Bypass, Interface Manipulation, Authentication Abuse, Harvesting Information via API Event Monitoring.\n\nThis issue affects SecHard: before 3.3.0.20220411.","Type":"Description","Title":"Authentication Bypass in Sechard Information Technologies' SecHa"}]}}}