"Any logged-in user could access other companies' accounts on the Companies House platform. The attacker could have gained access to the non-public information of five million registered firms, including directors' dates of birth, home addresses and email addresses. In addition, an attacker could have changed a company's details and could have submitted unauthorized filings."
"An attacker only needed to select the 'file for another company' option, enter the unique number associated with the targeted company and, when prompted for an authentication code, press the back button a few times. The attacker would then automatically be logged in to the targeted company's account."
"The flaw was introduced in October 2025 and it was addressed over the weekend after the service was shut down on Friday. This was not accessible to the general public. Only users with an authorised code and logged in to the service could have performed this action."
Companies House, the UK government agency maintaining the public company register, discovered a critical security vulnerability in its WebFiling service. The flaw, introduced in October 2025 and discovered on March 12, allowed any logged-in user to access other companies' accounts without technical skills. Attackers could view non-public information including directors' dates of birth, home addresses, and email addresses, and could modify company details or submit unauthorized filings. The exploitation method was simple: selecting the 'file for another company' option, entering a company number, and pressing the back button when prompted for authentication. Companies House confirmed the vulnerability affected only authenticated users and was patched after the service shutdown on Friday.
#cybersecurity-vulnerability #companies-house #authentication-bypass #data-breach-risk #government-systems-security
Read at SecurityWeek
Unable to calculate read time
Collection
[
|
...
]