Answer Brief
TWCERT/CC disclosed a critical “Missing Authentication” vulnerability in Chunghwa Long Network’s GCB/FCB government/financial cybersecurity configuration audit software. The issue allows a remote, unauthenticated attacker to use an API function to create a new administrator-privileged account. Affected deployments are versions prior to 20260108; users are advised to upgrade to 20260108 or later.
Executive Summary: TWCERT/CC disclosed a critical “Missing Authentication” vulnerability in Chunghwa Long Network’s GCB/FCB government/financial cybersecurity configuration audit software. The issue allows a remote, unauthenticated attacker to use an API function to create a new administrator-privileged account. Affected deployments are versions prior to 20260108; users are advised to upgrade to 20260108 or later.
Why It Matters
This disclosure is a high-severity identity and access control failure in a product positioned for government and financial environments, where configuration-audit tooling often has broad visibility and elevated privileges. According to TWCERT/CC, the flaw is a missing authentication check on an API pathway, enabling an external attacker with no prior access to create a new administrator account. That combination—remote reachability, no required privileges, and direct admin account creation—matches the disclosed 9.8 Critical CVSS score and represents a fast path to full product takeover.
Why this Taiwan signal matters globally: the affected software is explicitly described as used in government and finance contexts, two sectors that often operate interconnected oversight, audit, and compliance systems. Even when such tools are deployed in local jurisdictions, their integrations (API-driven workflows, centralized logging, directory connectivity, or management networks) can create downstream risk for shared service providers, regional partners, or multinational organizations with cross-border operations. For cloud and infrastructure security teams, the core lesson is that “audit/compliance” platforms can become high-impact identity control points; missing authentication on management APIs can effectively bypass standard governance.
The advisory states the remediation is to upgrade to version 20260108 or later. No exploitation details, indicators of compromise, or confirmation of in-the-wild abuse are provided in the TWCERT/CC notice; therefore operational impact should be treated as potential rather than observed based solely on this source.
Event Type: security
Importance: high
Affected Companies
- Chunghwa Long Network (中華龍網)
- DEVCORE
- TWCERT/CC
Affected Sectors
- Cybersecurity
- Financial Services
- Government
- IT Operations
Key Numbers
- CVE: CVE-2026-4312
- TVN ID: TVN-202603006
- CVSS v3.1: 9.8 (Critical)
- Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- Affected versions: Earlier than 20260108
- Fixed version: 20260108 and later
- Public disclosure date: 2026-03-17
Timeline
- TWCERT/CC publishes TVN-202603006 for CVE-2026-4312 affecting Chunghwa Long Network GCB/FCB security configuration audit software.