SecuriTricks - CVE-2025-4687

Description

In Teltonika Networks Remote Management System (RMS), it is possible to perform account pre-hijacking by misusing the invite functionality. If a victim has a pending invite and registers to the platform directly, they are added to the attackers company without their knowledge. The victims account and their company can then be managed by the attacker.This issue affects RMS: before 5.7.

Product(s) Impacted

Vendor	Product	Versions
Teltonika	Remote Management System	*

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-288

Authentication Bypass Using an Alternate Path or Channel

A product requires authentication, but the product has an alternate path or channel that does not require authentication.

*CPE(s)

Affected systems and software identified for this CVE.

Type	Vendor	Product	Version	Update	Edition	Language	Software Edition	Target Software	Target Hardware	Other Information
a	teltonika	remote_management_system	/	<5.7	/	/	/	/	/	/

References

https://jowin922.medium.com/cve-2025-4687-pre-account-takeover-through-invite-on-teletonika-rms-website-972335378829

CVSS Score

7.2 / 10

CVSS Data - 4.0

Attack Vector: NETWORK
Attack Complexity: LOW
Attack Requirements: PRESENT
Privileges Required: LOW
User Interaction: ACTIVE
Scope:
Confidentiality Impact: LOW
Integrity Impact: LOW
Availability Impact: HIGH
Exploit Maturity: NOT_DEFINED

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:L/VI:L/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

View Vector String

Timeline

Published: May 29, 2025, 9:15 a.m.
Last Modified: May 29, 2025, 2:29 p.m.

Status : Awaiting Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

001d69cf-3fc9-4203-93fb-9865b54e05b2

CVE-2025-4687