CVE-2025-2911 - Vulnerability Details - OpenCVE

Unauthorised access to the call forwarding service system in MeetMe products in versions prior to 2024-09 allows an attacker to identify multiple users and perform brute force attacks via extensions.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

No data.

No data.

No data.

References

Link	Providers
https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-fermax-mobile-applications

History

Fri, 28 Mar 2025 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 28 Mar 2025 13:15:00 +0000

Type	Values Removed	Values Added
Description		Unauthorised access to the call forwarding service system in MeetMe products in versions prior to 2024-09 allows an attacker to identify multiple users and perform brute force attacks via extensions.
Title		Improper Restriction of Excessive Authentication Attempts vulnerability in MeetMe products
Weaknesses		CWE-307
References		https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-fermax-mobile-applications
Metrics		cvssV4_0 `{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N'}`

MITRE

Status: PUBLISHED

Assigner: INCIBE

Published: 2025-03-28T12:54:59.611Z

Updated: 2025-03-28T13:39:50.199Z

Reserved: 2025-03-28T10:32:53.596Z

Link: CVE-2025-2911

Vulnrichment

Updated: 2025-03-28T13:39:46.678Z

NVD

Status : Awaiting Analysis

Published: 2025-03-28T13:15:41.673

Modified: 2025-03-28T18:11:40.180

Link: CVE-2025-2911

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-2911", "assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "state": "PUBLISHED", "assignerShortName": "INCIBE", "dateReserved": "2025-03-28T10:32:53.596Z", "datePublished": "2025-03-28T12:54:59.611Z", "dateUpdated": "2025-03-28T13:39:50.199Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "MeetMe", "vendor": "Fermax", "versions": [{"lessThan": "2024-09", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Fermax cybersecurity team"}], "datePublic": "2025-03-28T11:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Unauthorised access to the call forwarding service system in MeetMe products in versions prior to 2024-09 allows an attacker to identify multiple users and perform brute force attacks via extensions."}], "value": "Unauthorised access to the call forwarding service system in MeetMe products in versions prior to 2024-09 allows an attacker to identify multiple users and perform brute force attacks via extensions."}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 5.3, "baseSeverity": "MEDIUM", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-307", "description": "CWE-307 Improper Restriction of Excessive Authentication Attempts", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "shortName": "INCIBE", "dateUpdated": "2025-03-28T12:57:50.388Z"}, "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-fermax-mobile-applications"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "The vulnerability have been fixed by the Fermax team in version 2024-09 for the authentication and call forwarding services in MeetMe products."}], "value": "The vulnerability have been fixed by the Fermax team in version 2024-09 for the authentication and call forwarding services in MeetMe products."}], "source": {"discovery": "INTERNAL"}, "title": "Improper Restriction of Excessive Authentication Attempts vulnerability in MeetMe products", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-03-28T13:39:36.540142Z", "id": "CVE-2025-2911", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-28T13:39:50.199Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-2911", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-03-28T13:39:36.540142Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-28T13:39:46.678Z"}}], "cna": {"title": "Improper Restriction of Excessive Authentication Attempts vulnerability in MeetMe products", "source": {"discovery": "INTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Fermax cybersecurity team"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Fermax", "product": "MeetMe", "versions": [{"status": "affected", "version": "0", "lessThan": "2024-09", "versionType": "custom"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "The vulnerability have been fixed by the Fermax team in version 2024-09 for the authentication and call forwarding services in MeetMe products.", "supportingMedia": [{"type": "text/html", "value": "The vulnerability have been fixed by the Fermax team in version 2024-09 for the authentication and call forwarding services in MeetMe products.", "base64": false}]}], "datePublic": "2025-03-28T11:00:00.000Z", "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-fermax-mobile-applications"}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Unauthorised access to the call forwarding service system in MeetMe products in versions prior to 2024-09 allows an attacker to identify multiple users and perform brute force attacks via extensions.", "supportingMedia": [{"type": "text/html", "value": "Unauthorised access to the call forwarding service system in MeetMe products in versions prior to 2024-09 allows an attacker to identify multiple users and perform brute force attacks via extensions.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-307", "description": "CWE-307 Improper Restriction of Excessive Authentication Attempts"}]}], "providerMetadata": {"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "shortName": "INCIBE", "dateUpdated": "2025-03-28T12:57:50.388Z"}}}, "cveMetadata": {"cveId": "CVE-2025-2911", "state": "PUBLISHED", "dateUpdated": "2025-03-28T13:39:50.199Z", "dateReserved": "2025-03-28T10:32:53.596Z", "assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "datePublished": "2025-03-28T12:54:59.611Z", "assignerShortName": "INCIBE"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Unauthorised access to the call forwarding service system in MeetMe products in versions prior to 2024-09 allows an attacker to identify multiple users and perform brute force attacks via extensions."}], "id": "CVE-2025-2911", "lastModified": "2025-03-28T18:11:40.180", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cve-coordination@incibe.es", "type": "Secondary"}]}, "published": "2025-03-28T13:15:41.673", "references": [{"source": "cve-coordination@incibe.es", "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-fermax-mobile-applications"}], "sourceIdentifier": "cve-coordination@incibe.es", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-307"}], "source": "cve-coordination@incibe.es", "type": "Primary"}]}