Authentication-Bypass on HackingPassion.com : root@HackingPassion.com-[~]

OpenBSD Let Attackers Log In With an Empty Password for 27 Years

Wed, 17 Jun 2026 12:55:58 +0200

A 27-year-old flaw in OpenBSD let attackers bypass its PPP login with nothing more than an empty username and an empty password. Hand a vulnerable system a blank name and a blank password, and its own login check treated that as a perfect match and let the connection in.

The problem sits in the part of OpenBSD that handles PPP, the protocol behind many DSL and fiber connections, usually carried through PPPoE. When two machines set up that kind of link, one side can ask the other to prove who it is. One of the older ways to do that is PAP, the Password Authentication Protocol. One machine sends a name and a password, the other checks them against what it has stored, and if they match the link comes up.

BadHost Breaks Into FastAPI and vLLM With a Single Character

Wed, 27 May 2026 11:32:55 +0200

BadHost is one character in an HTTP header that bypasses authentication on FastAPI, vLLM, LiteLLM, and the Python MCP SDK. They all run on Starlette. Starlette has more than 400,000 dependent projects on GitHub. The bug is in Starlette.

It is tracked as CVE-2026-48710, disclosed on May 22. Starlette is the framework that sits underneath FastAPI and handles the basic plumbing of web requests: routing, middleware, everything that happens before your code runs. Through FastAPI it reaches vLLM, LiteLLM, Text Generation Inference, most OpenAI-compatible proxy servers, MCP servers, agent frameworks, and model management dashboards.

cPanel Authentication Bypass CVE-2026-41940 Gave Attackers 64 Days of Root Access

Fri, 01 May 2026 12:49:42 +0200

For 64 days, attackers had root access to cPanel servers managing over 70 million websites, and nobody had to know a single password to get in. A crafted HTTP request was enough, and two-factor authentication made no difference. The company behind the software was told about it two weeks before the patch dropped. Their first response was that nothing was wrong.

Whoever gets in walks away with root access to the entire server through WHM: the hosted sites, the databases behind them, the email accounts, the certificates, and every credential stored on that machine. With that level of access, someone can read every hosted account, modify files and databases, create permanent backdoor accounts, install malware, steal credentials, and potentially pivot from there into customer networks. Compromising one cPanel server does not mean compromising one website. It means compromising everyone sharing that machine.

How CVE 2026 40372 Breaks ASP.NET Core Authentication

Wed, 22 Apr 2026 13:17:50 +0200

The security fix Microsoft shipped in 2010 to stop attackers from decrypting ASP.NET traffic and forging authentication cookies just got quietly broken by a regression in .NET 10. Microsoft.AspNetCore.DataProtection 10.0.6 shipped on April 14, 2026. One week later, on April 21, Microsoft released 10.0.7 out of band with the fix. In those seven days, any Linux or macOS server running 10.0.6 may have handed out real, signed login tokens to attackers, and those tokens still work after the patch unless the key ring is rotated. 😏

Nginx-UI MCPwn (CVE-2026-33032): Full Server Takeover With One Unauthenticated Request

Thu, 16 Apr 2026 11:11:43 +0200

A critical vulnerability in nginx-ui has been actively exploited since March 2026, and it gives any attacker on the network full control over the nginx server behind it without a single credential. CVE-2026-33032 scores 9.8 on the CVSS scale, sits inside an AI integration that was added to the tool in late 2025, and the entire root cause turned out to be 27 characters of missing code. Recorded Future assigned it a risk score of 94 out of 100. The researchers who found it named it MCPwn. 😏

CVE-2026-24061. One Command, Root Access: The 11-Year Telnet Bug

Sat, 24 Jan 2026 14:00:10 +0100

It’s 2026 and attackers are still getting root shells via Telnet with a single command that requires no password whatsoever. 😏

SSH has existed for 31 years. Yet 221,000 telnet servers are still running online, and a bug hidden in the code since 2015 just handed attackers the keys to the kingdom. CVE-2026-24061. CVSS 9.8. Critical.

The vulnerability sat in GNU InetUtils telnetd for almost 11 years before anyone noticed. Security researcher Kyu Neushwaistein found it on January 20, 2026, and by January 21, attackers were already exploiting it in the wild.

Fortinet Authentication Bypass: A 5-Year-Old Bug Returns While a New One Gets Exploited in 3 Days

Sat, 27 Dec 2025 12:39:00 +0100

You buy a firewall to protect your network. In one month, two different authentication bypasses are being actively exploited. One is five years old. One is brand new. 😏

December 2025. Fortinet has a problem.

On December 24th, Fortinet published an advisory about CVE-2020-12812. A vulnerability from July 2020. Five years old. Now being actively exploited again. Bypass two-factor authentication by typing the username in different case letters. Instead of “admin” type “Admin” or “ADMIN” and skip 2FA completely.

Your Router Just Failed: ASUS & TP-Link Critical Vulnerabilities (CVE-2025-59367)

Sun, 16 Nov 2025 13:11:54 +0100

Your router protects your home network from the internet. Or it’s supposed to. Two major vendors just proved it doesn’t. 😅

ASUS: CVE-2025-59367 (CVSS 9.3) TP-Link: CVE-2025-7850 + CVE-2025-7851 (CVSS 9.3 + 8.7)

Both disclosed November 2025. Both critical. Both letting attackers walk right in.

ASUS routers: No password required.

The vulnerability affects ASUS DSL-AC51, DSL-N16, and DSL-AC750 routers. Authentication bypass.

If your router’s management interface is exposed to the internet, an attacker can connect remotely without any credentials. No username. No password. Direct admin access.