CVE-2025-45083
Description
Ullu app's parental PIN protection can be bypassed via brute force due to lack of rate-limiting, allowing unauthorized access to adult content.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Ullu app's parental PIN protection can be bypassed via brute force due to lack of rate-limiting, allowing unauthorized access to adult content.
An incorrect access control vulnerability exists in Ullu app (Android v2.9.929, iOS v2.8.0, and web platform) where the parental PIN feature lacks rate-limiting or lockout mechanisms. This allows attackers to brute-force the 4-digit PIN and bypass parental controls [1].
For the web version, attackers can capture the HTTP request sent when entering a PIN and automate brute-force attempts using tools like Burp Intruder. For mobile apps, the PIN can be brute-forced locally, either manually or via tools like Frida, by intercepting PIN entry attempts [1].
Successful exploitation disables the parental lock, granting unauthorized users unrestricted access to adult content. This escalates privileges and violates content accessibility protections, posing legal and compliance risks for age-restricted content delivery [1].
No official patch or mitigation has been disclosed. Vendors should implement rate-limiting and account lockout to prevent brute-force attacks on the PIN feature.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
1News mentions
0No linked articles in our index yet.