CWE-307
Improper Restriction of Excessive Authentication Attempts
The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame.
CVE-2025-4383 (GCVE-0-2025-4383)
Vulnerability from cvelistv5 – Published: 2025-06-24 15:18 – Updated: 2025-06-24 15:39
VLAI
Title
Authentication Bypass in Art-In Systems' Wi-Fi Cloud Hotspot
Summary
Improper Restriction of Excessive Authentication Attempts vulnerability in Art-in Bilişim Teknolojileri ve Yazılım Hizm. Tic. Ltd. Şti. Wi-Fi Cloud Hotspot allows Authentication Abuse, Authentication Bypass.This issue affects Wi-Fi Cloud Hotspot: before 30.05.2025.
Severity
9.3 (Critical)
CWE
- CWE-307 - Improper Restriction of Excessive Authentication Attempts
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Art-in Bilişim Teknolojileri ve Yazılım Hizm. Tic. Ltd. Şti. | Wi-Fi Cloud Hotspot |
Affected:
0 , < 30.05.2025
(custom)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-4383",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-24T15:38:53.808537Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-24T15:39:09.628Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Wi-Fi Cloud Hotspot",
"vendor": "Art-in Bili\u015fim Teknolojileri ve Yaz\u0131l\u0131m Hizm. Tic. Ltd. \u015eti.",
"versions": [
{
"lessThan": "30.05.2025",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Berat U\u011fur DEM\u0130RKAN"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Restriction of Excessive Authentication Attempts vulnerability in Art-in Bili\u015fim Teknolojileri ve Yaz\u0131l\u0131m Hizm. Tic. Ltd. \u015eti. Wi-Fi Cloud Hotspot allows Authentication Abuse, Authentication Bypass.\u003cp\u003eThis issue affects Wi-Fi Cloud Hotspot: before 30.05.2025.\u003c/p\u003e"
}
],
"value": "Improper Restriction of Excessive Authentication Attempts vulnerability in Art-in Bili\u015fim Teknolojileri ve Yaz\u0131l\u0131m Hizm. Tic. Ltd. \u015eti. Wi-Fi Cloud Hotspot allows Authentication Abuse, Authentication Bypass.This issue affects Wi-Fi Cloud Hotspot: before 30.05.2025."
}
],
"impacts": [
{
"capecId": "CAPEC-114",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-114 Authentication Abuse"
}
]
},
{
"capecId": "CAPEC-115",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-115 Authentication Bypass"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-307",
"description": "CWE-307 Improper Restriction of Excessive Authentication Attempts",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-24T15:18:21.211Z",
"orgId": "ca940d4e-fea4-4aa2-9a58-591a58b1ce21",
"shortName": "TR-CERT"
},
"references": [
{
"url": "https://www.usom.gov.tr/bildirim/tr-25-0134"
}
],
"source": {
"advisory": "TR-25-0134",
"defect": [
"TR-25-0134"
],
"discovery": "UNKNOWN"
},
"title": "Authentication Bypass in Art-In Systems\u0027 Wi-Fi Cloud Hotspot",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "ca940d4e-fea4-4aa2-9a58-591a58b1ce21",
"assignerShortName": "TR-CERT",
"cveId": "CVE-2025-4383",
"datePublished": "2025-06-24T15:18:21.211Z",
"dateReserved": "2025-05-06T13:42:31.922Z",
"dateUpdated": "2025-06-24T15:39:09.628Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-43863 (GCVE-0-2025-43863)
Vulnerability from cvelistv5 – Published: 2025-06-12 17:29 – Updated: 2025-06-12 17:54
VLAI
Title
vantage6 lacks brute-force protection on change password functionality
Summary
vantage6 is an open source framework built to enable, manage and deploy privacy enhancing technologies like Federated Learning and Multi-Party Computation. If attacker gets access to an authenticated session, they can try to brute-force the user password by using the change password functionality: they can call that route infinitely which will return the message that password is wrong until it is correct. This vulnerability is fixed in 4.11.
Severity
CWE
- CWE-307 - Improper Restriction of Excessive Authentication Attempts
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/vantage6/vantage6/security/adv… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-43863",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-12T17:54:31.550967Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-12T17:54:44.017Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "vantage6",
"vendor": "vantage6",
"versions": [
{
"status": "affected",
"version": "\u003c 4.11.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "vantage6 is an open source framework built to enable, manage and deploy privacy enhancing technologies like Federated Learning and Multi-Party Computation. If attacker gets access to an authenticated session, they can try to brute-force the user password by using the change password functionality: they can call that route infinitely which will return the message that password is wrong until it is correct. This vulnerability is fixed in 4.11."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "HIGH",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 1.7,
"baseSeverity": "LOW",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-307",
"description": "CWE-307: Improper Restriction of Excessive Authentication Attempts",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-12T17:29:57.047Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/vantage6/vantage6/security/advisories/GHSA-j6g5-p62x-58hw",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/vantage6/vantage6/security/advisories/GHSA-j6g5-p62x-58hw"
}
],
"source": {
"advisory": "GHSA-j6g5-p62x-58hw",
"discovery": "UNKNOWN"
},
"title": "vantage6 lacks brute-force protection on change password functionality"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-43863",
"datePublished": "2025-06-12T17:29:57.047Z",
"dateReserved": "2025-04-17T20:07:08.556Z",
"dateUpdated": "2025-06-12T17:54:44.017Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-46414 (GCVE-0-2025-46414)
Vulnerability from cvelistv5 – Published: 2025-08-08 16:17 – Updated: 2025-08-08 19:13
VLAI
Title
EG4 Electronics EG4 Inverters Improper Restriction of Excessive Authentication Attempts
Summary
The affected product does not limit the number of attempts for inputting
the correct PIN for a registered product, which may allow an attacker
to gain unauthorized access using brute-force methods if they possess a
valid device serial number. The API provides clear feedback when the
correct PIN is entered. This vulnerability was patched in a server-side
update on April 6, 2025.
Severity
8.1 (High)
CWE
Assigner
References
2 references
Impacted products
7 products
| Vendor | Product | Version | |
|---|---|---|---|
| EG4 Electronics | EG4 12kPV |
Affected:
all versions
|
|
| EG4 Electronics | EG4 18kPV |
Affected:
all versions
|
|
| EG4 Electronics | EG4 Flex 21 |
Affected:
all versions
|
|
| EG4 Electronics | EG4 Flex 18 |
Affected:
all versions
|
|
| EG4 Electronics | EG4 6000XP |
Affected:
all versions
|
|
| EG4 Electronics | EG4 12000XP |
Affected:
all versions
|
|
| EG4 Electronics | EG4 GridBoss |
Affected:
all versions
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-46414",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-08T19:13:34.209202Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-08T19:13:44.835Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "EG4 12kPV",
"vendor": "EG4 Electronics",
"versions": [
{
"status": "affected",
"version": "all versions"
}
]
},
{
"defaultStatus": "unaffected",
"product": "EG4 18kPV",
"vendor": "EG4 Electronics",
"versions": [
{
"status": "affected",
"version": "all versions"
}
]
},
{
"defaultStatus": "unaffected",
"product": "EG4 Flex 21",
"vendor": "EG4 Electronics",
"versions": [
{
"status": "affected",
"version": "all versions"
}
]
},
{
"defaultStatus": "unaffected",
"product": "EG4 Flex 18",
"vendor": "EG4 Electronics",
"versions": [
{
"status": "affected",
"version": "all versions"
}
]
},
{
"defaultStatus": "unaffected",
"product": "EG4 6000XP",
"vendor": "EG4 Electronics",
"versions": [
{
"status": "affected",
"version": "all versions"
}
]
},
{
"defaultStatus": "unaffected",
"product": "EG4 12000XP",
"vendor": "EG4 Electronics",
"versions": [
{
"status": "affected",
"version": "all versions"
}
]
},
{
"defaultStatus": "unaffected",
"product": "EG4 GridBoss",
"vendor": "EG4 Electronics",
"versions": [
{
"status": "affected",
"version": "all versions"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Anthony Rose of BC Security reported these vulnerabilities to CISA."
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The affected product does not limit the number of attempts for inputting\n the correct PIN for a registered product, which may allow an attacker \nto gain unauthorized access using brute-force methods if they possess a \nvalid device serial number. The API provides clear feedback when the \ncorrect PIN is entered. This vulnerability was patched in a server-side \nupdate on April 6, 2025."
}
],
"value": "The affected product does not limit the number of attempts for inputting\n the correct PIN for a registered product, which may allow an attacker \nto gain unauthorized access using brute-force methods if they possess a \nvalid device serial number. The API provides clear feedback when the \ncorrect PIN is entered. This vulnerability was patched in a server-side \nupdate on April 6, 2025."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.2,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-307",
"description": "CWE-307",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-08T16:17:43.727Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-219-07"
},
{
"url": "https://eg4electronics.com/contact/"
}
],
"source": {
"advisory": "ICSA-25-219-07",
"discovery": "EXTERNAL"
},
"title": "EG4 Electronics EG4 Inverters Improper Restriction of Excessive Authentication Attempts",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003e\u003c/p\u003e\n\u003cp\u003eCVE-2025-46414 was fixed on April 6, 2025. No user action was or is necessary.\u003c/p\u003e\n\u003cp\u003eFor more information, \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://eg4electronics.com/contact/\"\u003econtact EG4.\u003c/a\u003e\u003c/p\u003e\n\n\u003cp\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://eg4electronics.com/contact/\"\u003e\u003c/a\u003e\u003c/p\u003e\n\n\u003cbr\u003e"
}
],
"value": "CVE-2025-46414 was fixed on April 6, 2025. No user action was or is necessary.\n\n\nFor more information, contact EG4. https://eg4electronics.com/contact/ \n\n\n\n https://eg4electronics.com/contact/"
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2025-46414",
"datePublished": "2025-08-08T16:17:43.727Z",
"dateReserved": "2025-07-30T19:03:10.098Z",
"dateUpdated": "2025-08-08T19:13:44.835Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-46603 (GCVE-0-2025-46603)
Vulnerability from cvelistv5 – Published: 2025-12-05 19:01 – Updated: 2025-12-05 19:15
VLAI
Summary
Dell CloudBoost Virtual Appliance, versions 19.13.0.0 and prior, contains an Improper Restriction of Excessive Authentication Attempts vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to unauthorized access.
Severity
CWE
- CWE-307 - Improper Restriction of Excessive Authentication Attempts
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.dell.com/support/kbdoc/en-us/00039741… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Dell | CloudBoost Virtual Appliance |
Affected:
N/A , < 19.13.0.2
(semver)
|
Date Public
2025-12-01 18:00
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-46603",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-05T19:14:28.967958Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-05T19:15:38.424Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "CloudBoost Virtual Appliance",
"vendor": "Dell",
"versions": [
{
"lessThan": "19.13.0.2",
"status": "affected",
"version": "N/A",
"versionType": "semver"
}
]
}
],
"datePublic": "2025-12-01T18:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Dell CloudBoost Virtual Appliance, versions 19.13.0.0 and prior, contains an Improper Restriction of Excessive Authentication Attempts vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to unauthorized access."
}
],
"value": "Dell CloudBoost Virtual Appliance, versions 19.13.0.0 and prior, contains an Improper Restriction of Excessive Authentication Attempts vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to unauthorized access."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-307",
"description": "CWE-307: Improper Restriction of Excessive Authentication Attempts",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-05T19:01:28.898Z",
"orgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
"shortName": "dell"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.dell.com/support/kbdoc/en-us/000397417/dsa-2025-387-security-update-for-dell-cloudboost-virtual-appliance-multiple-vulnerabilities"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
"assignerShortName": "dell",
"cveId": "CVE-2025-46603",
"datePublished": "2025-12-05T19:01:28.898Z",
"dateReserved": "2025-04-25T05:03:51.783Z",
"dateUpdated": "2025-12-05T19:15:38.424Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-46606 (GCVE-0-2025-46606)
Vulnerability from cvelistv5 – Published: 2026-04-17 11:36 – Updated: 2026-04-18 03:55
VLAI
Summary
Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) of Feature Release versions 8.4 through 8.5 contain an improper restriction of excessive authentication attempts vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to unauthorized access.
Severity
6.2 (Medium)
CWE
- CWE-307 - Improper Restriction of Excessive Authentication Attempts
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.dell.com/support/kbdoc/en-us/00045069… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Dell | PowerProtect Data Domain |
Affected:
0 , < 8.6.0.0 or later
(semver)
|
Date Public
2026-04-15 18:30
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-46606",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-17T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-18T03:55:33.318Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "PowerProtect Data Domain",
"vendor": "Dell",
"versions": [
{
"lessThan": "8.6.0.0 or later",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"datePublic": "2026-04-15T18:30:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) of Feature Release versions 8.4 through 8.5 contain an improper restriction of excessive authentication attempts vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to unauthorized access."
}
],
"value": "Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) of Feature Release versions 8.4 through 8.5 contain an improper restriction of excessive authentication attempts vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to unauthorized access."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-307",
"description": "CWE-307: Improper Restriction of Excessive Authentication Attempts",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-17T11:36:54.469Z",
"orgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
"shortName": "dell"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.dell.com/support/kbdoc/en-us/000450699/dsa-2026-060-security-update-for-dell-powerprotect-data-domain-multiple-vulnerabilities"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
"assignerShortName": "dell",
"cveId": "CVE-2025-46606",
"datePublished": "2026-04-17T11:36:54.469Z",
"dateReserved": "2025-04-25T05:03:51.784Z",
"dateUpdated": "2026-04-18T03:55:33.318Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-46739 (GCVE-0-2025-46739)
Vulnerability from cvelistv5 – Published: 2025-05-12 16:08 – Updated: 2025-05-12 17:57
VLAI
Title
Improper Restriction of Excessive Authentication Attempts
Summary
An unauthenticated user could discover account credentials via a brute-force attack without rate limiting
Severity
8.1 (High)
CWE
- CWE-307 - Improper Restriction of Excessive Authentication Attempts
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Schweitzer Engineering Laboratories | SEL Blueframe OS |
Affected:
0 , < 1.12.0
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-46739",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-12T17:56:48.831649Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-12T17:57:08.901Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SEL Blueframe OS",
"vendor": "Schweitzer Engineering Laboratories",
"versions": [
{
"lessThan": "1.12.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An unauthenticated user could discover account credentials via a brute-force attack without rate limiting"
}
],
"value": "An unauthenticated user could discover account credentials via a brute-force attack without rate limiting"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-307",
"description": "CWE-307 Improper Restriction of Excessive Authentication Attempts",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-12T16:08:38.763Z",
"orgId": "5804bb70-792c-43e0-8596-486cc0efe699",
"shortName": "SEL"
},
"references": [
{
"url": "https://selinc.com/products/software/latest-software-versions/"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Improper Restriction of Excessive Authentication Attempts",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "5804bb70-792c-43e0-8596-486cc0efe699",
"assignerShortName": "SEL",
"cveId": "CVE-2025-46739",
"datePublished": "2025-05-12T16:08:38.763Z",
"dateReserved": "2025-04-28T21:27:38.847Z",
"dateUpdated": "2025-05-12T17:57:08.901Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-47951 (GCVE-0-2025-47951)
Vulnerability from cvelistv5 – Published: 2025-06-16 20:57 – Updated: 2025-06-17 18:52
VLAI
Title
Weblate lacks rate limiting when verifying second factor
Summary
Weblate is a web based localization tool. Prior to version 5.12, the verification of the second factor was not subject to rate limiting. The absence of rate limiting on the second factor endpoint allows an attacker with valid credentials to automate OTP guessing. This issue has been patched in version 5.12.
Severity
4.9 (Medium)
CWE
- CWE-307 - Improper Restriction of Excessive Authentication Attempts
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://github.com/WeblateOrg/weblate/security/ad… | x_refsource_CONFIRM |
| https://github.com/WeblateOrg/weblate/pull/14918 | x_refsource_MISC |
| https://github.com/WeblateOrg/weblate/commit/f806… | x_refsource_MISC |
| https://hackerone.com/reports/3150564 | x_refsource_MISC |
| https://github.com/WeblateOrg/weblate/releases/ta… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| WeblateOrg | weblate |
Affected:
< 5.12
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-47951",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-17T18:49:15.267847Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-17T18:52:13.582Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "weblate",
"vendor": "WeblateOrg",
"versions": [
{
"status": "affected",
"version": "\u003c 5.12"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Weblate is a web based localization tool. Prior to version 5.12, the verification of the second factor was not subject to rate limiting. The absence of rate limiting on the second factor endpoint allows an attacker with valid credentials to automate OTP guessing. This issue has been patched in version 5.12."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-307",
"description": "CWE-307: Improper Restriction of Excessive Authentication Attempts",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-16T20:57:52.509Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/WeblateOrg/weblate/security/advisories/GHSA-57jg-m997-cx3q",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/WeblateOrg/weblate/security/advisories/GHSA-57jg-m997-cx3q"
},
{
"name": "https://github.com/WeblateOrg/weblate/pull/14918",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/WeblateOrg/weblate/pull/14918"
},
{
"name": "https://github.com/WeblateOrg/weblate/commit/f806293451248c5d95e45b3b507e9d158bc4f384",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/WeblateOrg/weblate/commit/f806293451248c5d95e45b3b507e9d158bc4f384"
},
{
"name": "https://hackerone.com/reports/3150564",
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/3150564"
},
{
"name": "https://github.com/WeblateOrg/weblate/releases/tag/weblate-5.12.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/WeblateOrg/weblate/releases/tag/weblate-5.12.1"
}
],
"source": {
"advisory": "GHSA-57jg-m997-cx3q",
"discovery": "UNKNOWN"
},
"title": "Weblate lacks rate limiting when verifying second factor"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-47951",
"datePublished": "2025-06-16T20:57:52.509Z",
"dateReserved": "2025-05-14T10:32:43.531Z",
"dateUpdated": "2025-06-17T18:52:13.582Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-48014 (GCVE-0-2025-48014)
Vulnerability from cvelistv5 – Published: 2025-05-20 15:10 – Updated: 2025-05-20 15:55
VLAI
Title
Improper Restriction of Excessive Authentication Attempts
Summary
Password guessing limits could be bypassed when using LDAP authentication.
Severity
7.5 (High)
CWE
- CWE-307 - Improper Restriction of Excessive Authentication Attempts
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Schweitzer Engineering Laboratories | SEL-5056 Software-Defined Network Flow Controller |
Affected:
0 , < 2.16.0
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-48014",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-20T15:55:40.900047Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-20T15:55:46.002Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows"
],
"product": "SEL-5056 Software-Defined Network Flow Controller",
"vendor": "Schweitzer Engineering Laboratories",
"versions": [
{
"lessThan": "2.16.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Password guessing limits could be bypassed when using LDAP authentication."
}
],
"value": "Password guessing limits could be bypassed when using LDAP authentication."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-307",
"description": "CWE-307 Improper Restriction of Excessive Authentication Attempts",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-20T15:10:54.624Z",
"orgId": "5804bb70-792c-43e0-8596-486cc0efe699",
"shortName": "SEL"
},
"references": [
{
"url": "https://selinc.com/products/software/latest-software-versions/"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Improper Restriction of Excessive Authentication Attempts",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "5804bb70-792c-43e0-8596-486cc0efe699",
"assignerShortName": "SEL",
"cveId": "CVE-2025-48014",
"datePublished": "2025-05-20T15:10:54.624Z",
"dateReserved": "2025-05-15T00:31:11.897Z",
"dateUpdated": "2025-05-20T15:55:46.002Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-48187 (GCVE-0-2025-48187)
Vulnerability from cvelistv5 – Published: 2025-05-17 00:00 – Updated: 2025-05-19 15:56
VLAI
Summary
RAGFlow through 0.18.1 allows account takeover because it is possible to conduct successful brute-force attacks against email verification codes to perform arbitrary account registration, login, and password reset. Codes are six digits and there is no rate limiting.
Severity
9.1 (Critical)
CWE
- CWE-307 - Improper Restriction of Excessive Authentication Attempts
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| infiniflow | RAGFlow |
Affected:
0 , ≤ 0.18.1
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-48187",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-19T15:56:50.093826Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-19T15:56:53.263Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://www.cnblogs.com/qiushuo/p/18881084"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "RAGFlow",
"vendor": "infiniflow",
"versions": [
{
"lessThanOrEqual": "0.18.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:infiniflow:ragflow:*:*:*:*:*:*:*:*",
"versionEndIncluding": "0.18.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "RAGFlow through 0.18.1 allows account takeover because it is possible to conduct successful brute-force attacks against email verification codes to perform arbitrary account registration, login, and password reset. Codes are six digits and there is no rate limiting."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-307",
"description": "CWE-307 Improper Restriction of Excessive Authentication Attempts",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-17T12:40:40.737Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/infiniflow/ragflow/commits/main/"
},
{
"url": "https://www.cnblogs.com/qiushuo/p/18881084"
}
],
"x_generator": {
"engine": "enrichogram 0.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-48187",
"datePublished": "2025-05-17T00:00:00.000Z",
"dateReserved": "2025-05-16T00:00:00.000Z",
"dateUpdated": "2025-05-19T15:56:53.263Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-49186 (GCVE-0-2025-49186)
Vulnerability from cvelistv5 – Published: 2025-06-12 13:27 – Updated: 2026-05-13 11:59
VLAI
Title
No brute-force protection
Summary
The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame, making it susceptible to brute-force attacks.
Severity
5.3 (Medium)
CWE
- CWE-307 - Improper Restriction of Excessive Authentication Attempts
Assigner
References
6 references
| URL | Tags |
|---|---|
| https://sick.com/psirt | x_SICK PSIRT Website |
| https://cdn.sick.com/media/docs/1/11/411/Special_… | x_SICK Operating Guidelines |
| https://www.cisa.gov/resources-tools/resources/ic… | x_ICS-CERT recommended practices on Industrial Security |
| https://www.first.org/cvss/calculator/3.1 | x_CVSS v3.1 Calculator |
| https://www.sick.com/.well-known/csaf/white/2025/… | vendor-advisory |
| https://www.sick.com/.well-known/csaf/white/2025/… | vendor-advisoryx_csaf |
Impacted products
5 products
| Vendor | Product | Version | |
|---|---|---|---|
| SICK AG | Field Analytics |
Affected:
all versions
(custom)
|
|
| SICK AG | Baggage Analytics |
Affected:
0 , < 4.6.3
(custom)
|
|
| SICK AG | Tire Analytics |
Affected:
0 , < 4.6.3
(custom)
|
|
| SICK AG | Package Analytics |
Affected:
0 , < 4.6.3
(custom)
|
|
| SICK AG | Logistic Diagnostic Analytics |
Affected:
0 , < 4.6.3
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-49186",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-12T13:44:43.611024Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-12T13:44:51.526Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Field Analytics",
"vendor": "SICK AG",
"versions": [
{
"status": "affected",
"version": "all versions",
"versionType": "custom"
}
]
},
{
"defaultStatus": "affected",
"product": "Baggage Analytics",
"vendor": "SICK AG",
"versions": [
{
"lessThan": "4.6.3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "affected",
"product": "Tire Analytics",
"vendor": "SICK AG",
"versions": [
{
"lessThan": "4.6.3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "affected",
"product": "Package Analytics",
"vendor": "SICK AG",
"versions": [
{
"lessThan": "4.6.3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "affected",
"product": "Logistic Diagnostic Analytics",
"vendor": "SICK AG",
"versions": [
{
"lessThan": "4.6.3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003ccode\u003eThe product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame, making it susceptible to brute-force attacks.\u003c/code\u003e"
}
],
"value": "The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame, making it susceptible to brute-force attacks."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-307",
"description": "CWE-307 Improper Restriction of Excessive Authentication Attempts",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T11:59:58.918Z",
"orgId": "a6863dd2-93fc-443d-bef1-79f0b5020988",
"shortName": "SICK AG"
},
"references": [
{
"tags": [
"x_SICK PSIRT Website"
],
"url": "https://sick.com/psirt"
},
{
"tags": [
"x_SICK Operating Guidelines"
],
"url": "https://cdn.sick.com/media/docs/1/11/411/Special_information_CYBERSECURITY_BY_SICK_en_IM0084411.PDF"
},
{
"tags": [
"x_ICS-CERT recommended practices on Industrial Security"
],
"url": "https://www.cisa.gov/resources-tools/resources/ics-recommended-practices"
},
{
"tags": [
"x_CVSS v3.1 Calculator"
],
"url": "https://www.first.org/cvss/calculator/3.1"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0007.pdf"
},
{
"tags": [
"vendor-advisory",
"x_csaf"
],
"url": "https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0007.json"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "For Logistic Analytics Products:\u0026nbsp;It is strongly recommended to update the product to version 4.6.3."
}
],
"value": "For Logistic Analytics Products:\u00a0It is strongly recommended to update the product to version 4.6.3."
}
],
"source": {
"advisory": "sca-2025-0007",
"discovery": "INTERNAL"
},
"title": "No brute-force protection",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003ccode\u003eFor Field Analytics: It is highly recommended to use a strong password with a length of at least eight characters and a combination of letters, numbers, capital letters and symbols. Please make also sure that only trusted entities have access to the device. Furthermore, you should apply the following General Security Measures when operating the product to mitigate the associated security risk. The collected resources \\\"SICK Operating Guidelines\\\" and \\\"ICS-CERT recommended practices on Industrial Security\\\" could help to implement the general security practices.\u003c/code\u003e"
}
],
"value": "For Field Analytics: It is highly recommended to use a strong password with a length of at least eight characters and a combination of letters, numbers, capital letters and symbols. Please make also sure that only trusted entities have access to the device. Furthermore, you should apply the following General Security Measures when operating the product to mitigate the associated security risk. The collected resources \\\"SICK Operating Guidelines\\\" and \\\"ICS-CERT recommended practices on Industrial Security\\\" could help to implement the general security practices."
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "a6863dd2-93fc-443d-bef1-79f0b5020988",
"assignerShortName": "SICK AG",
"cveId": "CVE-2025-49186",
"datePublished": "2025-06-12T13:27:43.484Z",
"dateReserved": "2025-06-03T05:55:52.772Z",
"dateUpdated": "2026-05-13T11:59:58.918Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Mitigation
Phase: Architecture and Design
Description:
- Common protection mechanisms include:
- Disconnecting the user after a small number of failed attempts
- Implementing a timeout
- Locking out a targeted account
- Requiring a computational task on the user's part.
Mitigation ID: MIT-4
Phase: Architecture and Design
Strategy: Libraries or Frameworks
Description:
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482].
- Consider using libraries with authentication capabilities such as OpenSSL or the ESAPI Authenticator. [REF-45]
CAPEC-16: Dictionary-based Password Attack
["An attacker tries each of the words in a dictionary as passwords to gain access to the system via some user's account. If the password chosen by the user was a word within the dictionary, this attack will be successful (in the absence of other mitigations). This is a specific instance of the password brute forcing attack pattern.", "Dictionary Attacks differ from similar attacks such as Password Spraying (CAPEC-565) and Credential Stuffing (CAPEC-600), since they leverage unknown username/password combinations and don't care about inducing account lockouts."]
CAPEC-49: Password Brute Forcing
An adversary tries every possible value for a password until they succeed. A brute force attack, if feasible computationally, will always be successful because it will essentially go through all possible passwords given the alphabet used (lower case letters, upper case letters, numbers, symbols, etc.) and the maximum length of the password.
CAPEC-560: Use of Known Domain Credentials
An adversary guesses or obtains (i.e. steals or purchases) legitimate credentials (e.g. userID/password) to achieve authentication and to perform authorized actions under the guise of an authenticated user or service.
CAPEC-565: Password Spraying
In a Password Spraying attack, an adversary tries a small list (e.g. 3-5) of common or expected passwords, often matching the target's complexity policy, against a known list of user accounts to gain valid credentials. The adversary tries a particular password for each user account, before moving onto the next password in the list. This approach assists the adversary in remaining undetected by avoiding rapid or frequent account lockouts. The adversary may then reattempt the process with additional passwords, once enough time has passed to prevent inducing a lockout.
CAPEC-600: Credential Stuffing
An adversary tries known username/password combinations against different systems, applications, or services to gain additional authenticated access. Credential Stuffing attacks rely upon the fact that many users leverage the same username/password combination for multiple systems, applications, and services.
CAPEC-652: Use of Known Kerberos Credentials
An adversary obtains (i.e. steals or purchases) legitimate Kerberos credentials (e.g. Kerberos service account userID/password or Kerberos Tickets) with the goal of achieving authenticated access to additional systems, applications, or services within the domain.
CAPEC-653: Use of Known Operating System Credentials
An adversary guesses or obtains (i.e. steals or purchases) legitimate operating system credentials (e.g. userID/password) to achieve authentication and to perform authorized actions on the system, under the guise of an authenticated user or service. This applies to any Operating System.