CVE-2025-30236

Name of the Vulnerable Software and Affected Versions Shearwater SecurEnvoy SecurAccess versions prior to 9.4.515

Description The issue allows authentication through only a six-digit TOTP code, skipping a password check, if an HTTP POST request contains a SESSION parameter. This is related to external control of assumed-immutable web parameters.

Recommendations For versions prior to 9.4.515, update to version 9.4.515 or later to resolve the issue. As a temporary workaround, consider restricting access to the authentication endpoint to minimize the risk of exploitation. Avoid using the SESSION parameter in HTTP POST requests until the issue is resolved.