轉發　國家資安資訊分享與分析中心 資安訊息警訊 NISAC-200-202511-00000149

[內容說明]
研究人員發現育碁數位科技eHRD存在驗證機制濫用(Authentication Abuse)漏洞(CVE-2025-12870與CVE-2025-12871)，未經身分鑑別之遠端攻擊者可取得或自行製作管理權限憑證，並使用該憑證以管理員權限存取系統，請儘速確認並進行修補。

[影響平台]
a+HRD 7.5(含)以前版本

[建議措施]
官方已針對漏洞釋出修復更新，請參考官方說明進行更新，網址如下： https://www.aenrich.com.tw/news_events/pr_20251112.asp

[參考資料]
1. https://nvd.nist.gov/vuln/detail/CVE-2025-12870
2. https://nvd.nist.gov/vuln/detail/CVE-2025-12871
3. https://www.aenrich.com.tw/news_events/pr_20251112.asp

Forwarded from National Cybersecurity Information Sharing and Analysis Center: Cybersecurity Alert NISAC-200-202511-00000149

[Content Description]
Researchers have discovered an authentication abuse vulnerability (CVE-2025-12870 and CVE-2025-12871) in the eHRD device from aEnrich. An unauthenticated remote attacker could obtain or create their own administrative privilege credentials and use these credentials to access the system with administrator privileges. Please confirm and patch this vulnerability as soon as possible.

[Affected Platforms]
a+HRD versions 7.5 and earlier

[Recommended Actions]
The official patch for this vulnerability has been released. Please refer to the official instructions for updating. The URL is as follows: https://www.aenrich.com.tw/news_events/pr_20251112.asp

[References]
1. https://nvd.nist.gov/vuln/detail/CVE-2025-12870
2. https://nvd.nist.gov/vuln/detail/CVE-2025-12871
3. https://www.aenrich.com.tw/news_events/pr_20251112.asp