CVE-2025-13477 PUBLISHED

OTP Bypass in Digital Operation Services' WifiBurada

Assigner: TR-CERT
Reserved: 20.11.2025 Published: 21.05.2026 Updated: 21.05.2026

Exposure of private personal information to an unauthorized actor, Insufficiently Protected Credentials vulnerability in Digital Operations Services Inc. WifiBurada allows Authentication Bypass.

This issue affects WifiBurada: through 21052026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
CVSS Score: 7.1

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	Low	Integrity Impact	Low
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Vendor	Digital Operations Services Inc.
Product	WifiBurada
Versions	Default: unknown affected from 0 to 21052026 (incl.)

Credits

Ahmed Resül MERİÇ finder
Mustafa Anıl YILDIRIM coordinator

References

https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0284

Problem Types

CWE-359 Exposure of private personal information to an unauthorized actor CWE
CWE-522 Insufficiently Protected Credentials CWE

Impacts

CAPEC-115 Authentication Bypass