CVE-2025-6685 HIGH

CVE-2025-6685: ATEN eco DC Missing Authorization Privilege Escalation Vulnerability

Vendor Aten

Product eco DC

Weakness CWE-862 · Missing authorization

Published September 2, 2025

Last update September 2, 2025

View on NVD All CVEs

CVSS base score

8.8/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

ATEN eco DC Missing Authorization Privilege Escalation Vulnerability. This vulnerability allows remote attackers to escalate privileges on affected installations of ATEN eco DC. Authentication is required to exploit this vulnerability. The specific flaw exists within the web-based interface. The issue results from the lack of validating the assigned user role when handling requests. An attacker can leverage this vulnerability to escalate privileges to resources normally protected from the user. Was ZDI-CAN-26647.

Key dates

02Disclosure timeline

September 2, 2025 CVE published

September 2, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-6685 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/862.html

Related vulnerabilities

04Related CVE

CVE-2025-66069 WordPress PPOM for WooCommerce plugin <= 33.0.16 - Broken Access Control vulnerability CVE-2026-32451 WordPress Fusion Builder plugin < 3.15.0 - Broken Access Control vulnerability CVE-2026-1932 Appointment Booking Calendar Plugin <= 1.0.2 - Missing Authorization to Unauthenticated Arbitrary Appointment Status Modification CVE-2026-6145 User Registration & Membership <= 5.1.5 - Unauthenticated Missing Authorization to Admin Approval Bypass via 'action' Parameter CVE-2025-31791 WordPress Pin Generator Plugin <= 2.0.0 - Broken Access Control vulnerability