CVE-2025-4687: Account pre-hijacking through invite misuse

7.2 CVSS

Description

In Teltonika Networks Remote Management System (RMS), it is possible to perform account pre-hijacking by misusing the invite functionality. If a victim has a pending invite and registers to the platform directly, they are added to the attackers company without their knowledge. The victims account and their company can then be managed by the attacker.This issue affects RMS: before 5.7.

Classification

CVE ID: CVE-2025-4687

CVSS Base Severity: HIGH

CVSS Base Score: 7.2

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:L/VI:L/VA:H/SC:H/SI:H/SA:H

Affected Products

Vendor: Teltonika Networks

Product: RMS

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.04% (probability of being exploited)

EPSS Percentile: 12.68% (scored less or equal to compared to others)

EPSS Date: 2025-06-08 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-4687
https://jowin922.medium.com/cve-2025-4687-pre-account-takeover-through-invite-on-teletonika-rms-website-972335378829

Timeline

2025-05-29 10:40:12 UTC
CVE

Account pre-hijacking through invite misuse