CWE-307
Improper Restriction of Excessive Authentication Attempts
BaseDraft
Description
The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-16 · CAPEC-49 · CAPEC-560 · CAPEC-565 · CAPEC-600 · CAPEC-652 · CAPEC-653
CVEs mapped to this weakness (113)
page 1 of 6| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2001-1339 | Cri | 0.69 | 9.8 | 0.24 | May 24, 2001 | Beck IPC GmbH IPC@CHIP telnet service does not delay or disconnect users from the service when bad passwords are entered, which makes it easier for remote attackers to conduct brute force password guessing attacks. | |
| CVE-2001-1291 | Cri | 0.67 | 9.8 | 0.07 | Jul 12, 2001 | The telnet server for 3Com hardware such as PS40 SuperStack II does not delay or disconnect remote attackers who provide an incorrect username or password, which makes it easier to break into the server via brute force password guessing. | |
| CVE-2024-41276 | Cri | 0.65 | 9.8 | 0.14 | Oct 1, 2024 | A vulnerability in Kaiten version 57.131.12 and earlier allows attackers to bypass the PIN code authentication mechanism. The application requires users to input a 6-digit PIN code sent to their email for authorization after entering their login credentials. However, the request limiting mechanism can be easily bypassed, enabling attackers to perform a brute force attack to guess the correct PIN and gain unauthorized access to the application. | |
| CVE-2026-33879 | Cri | 0.64 | 9.8 | 0.00 | Mar 27, 2026 | Federated Learning and Interoperability Platform (FLIP) is an open-source platform for federated training and evaluation of medical imaging AI models across healthcare institutions. The FLIP login page in versions 0.1.1 and prior has no rate limiting or CAPTCHA, enabling brute-force and credential-stuffing attacks. FLIP users are external to the organization, increasing credential reuse risk. As of time of publication, it is unclear if a patch is available. | |
| CVE-2026-31851 | Cri | 0.64 | 9.8 | 0.00 | Mar 23, 2026 | Nexxt Solutions Nebula 300+ firmware through version 12.01.01.37 does not implement rate limiting or account lockout mechanisms on authentication interfaces. An attacker can perform unlimited authentication attempts against endpoints that rely on credential validation, enabling brute-force attacks to guess administrative credentials without restriction. | |
| CVE-2025-64310 | Cri | 0.64 | 9.8 | 0.00 | Nov 21, 2025 | EPSON WebConfig and Epson Web Control for SEIKO EPSON Projector Products do not restrict excessive authentication attempts. An administrative user's password may be identified through a brute force attack. | |
| CVE-2025-1740 | Cri | 0.64 | 9.8 | 0.00 | Sep 3, 2025 | Improper Restriction of Excessive Authentication Attempts vulnerability in Akinsoft MyRezzta allows Authentication Bypass, Password Recovery Exploitation, Brute Force.This issue affects MyRezzta: from s2.03.01 before v2.05.01. | |
| CVE-2024-46442 | Cri | 0.64 | 9.8 | 0.00 | Dec 10, 2024 | An issue in the BYD Dilink Headunit System v3.0 to v4.0 allows attackers to bypass authentication via a bruteforce attack. | |
| CVE-2024-2051 | Cri | 0.64 | 9.8 | 0.00 | Mar 18, 2024 | CWE-307: Improper Restriction of Excessive Authentication Attempts vulnerability exists that could cause account takeover and unauthorized access to the system when an attacker conducts brute-force attacks against the login form. | |
| CVE-2023-35039 | Cri | 0.64 | 9.8 | 0.01 | Dec 7, 2023 | Improper Restriction of Excessive Authentication Attempts vulnerability in Be Devious Web Development Password Reset with Code for WordPress REST API allows Authentication Abuse.This issue affects Password Reset with Code for WordPress REST API: from n/a through 0.0.15. | |
| CVE-2001-0395 | Cri | 0.64 | 9.8 | 0.01 | Jul 2, 2001 | Lightwave ConsoleServer 3200 does not disconnect users after unsuccessful login attempts, which could allow remote attackers to conduct brute force password guessing. | |
| CVE-1999-1324 | Cri | 0.64 | 9.8 | 0.01 | Dec 31, 1999 | VAXstations running Open VMS 5.3 through 5.5-2 with VMS DECwindows or MOTIF do not properly disable access to user accounts that exceed the break-in limit threshold for failed login attempts, which makes it easier for attackers to conduct brute force password guessing. | |
| CVE-2025-4319 | Cri | 0.61 | 9.4 | 0.00 | Jan 23, 2026 | Improper Restriction of Excessive Authentication Attempts, Weak Password Recovery Mechanism for Forgotten Password vulnerability in Birebirsoft Software and Technology Solutions Sufirmam allows Brute Force, Password Recovery Exploitation.This issue affects Sufirmam: through 23012026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | |
| CVE-2025-6030 | Cri | 0.61 | — | 0.00 | Jun 13, 2025 | Use of fixed learning codes, one code to lock the car and the other code to unlock it, in the Key Fob Transmitter in Cyclone Matrix TRF Smart Keyless Entry System, which allows a replay attack. Research was completed on the 2024 KIA Soluto. Attack confirmed on other KIA Models in Ecuador. | |
| CVE-2025-6029 | Cri | 0.61 | — | 0.00 | Jun 13, 2025 | Use of fixed learning codes, one code to lock the car and the other code to unlock it, the Key Fob Transmitter in KIA-branded Aftermarket Generic Smart Keyless Entry System, primarily distributed in Ecuador, which allows a replay attack. Manufacture is unknown at the time of release. CVE Record will be updated once this is clarified. | |
| CVE-2025-4383 | Cri | 0.60 | 9.3 | 0.00 | Jun 24, 2025 | Improper Restriction of Excessive Authentication Attempts vulnerability in Art-in Bilişim Teknolojileri ve Yazılım Hizm. Tic. Ltd. Şti. Wi-Fi Cloud Hotspot allows Authentication Abuse, Authentication Bypass.This issue affects Wi-Fi Cloud Hotspot: before 30.05.2025. | |
| CVE-2024-9832 | Cri | 0.60 | 9.3 | 0.00 | Nov 14, 2024 | There is no limit on the number of failed login attempts permitted with the Clinician Password or the Serial Number Clinician Password. An attacker could execute a brute-force attack to gain unauthorized access to the ventilator, and then make changes to device settings that could disrupt the function of the device and/or result in unauthorized information disclosure. | |
| CVE-2024-48143 | Cri | 0.59 | 9.1 | 0.00 | Oct 24, 2024 | A lack of rate limiting in the OTP validation component of Digitory Multi Channel Integrated POS v1.0 allows attackers to gain access to the ordering system and place an excessive amount of food orders. | |
| CVE-2024-45523 | Cri | 0.59 | 9.1 | 0.00 | Sep 18, 2024 | An issue was discovered in Bravura Security Fabric versions 12.3.x before 12.3.5.32784, 12.4.x before 12.4.3.35110, 12.5.x before 12.5.2.35950, 12.6.x before 12.6.2.37183, and 12.7.x before 12.7.1.38241. An unauthenticated attacker can cause a resource leak by issuing multiple failed login attempts through API SOAP. | |
| CVE-2026-41037 | Hig | 0.57 | 8.8 | 0.00 | Apr 21, 2026 | This vulnerability exists in Quantum Networks router due to missing rate limiting and CAPTCHA protection for failed login attempts in the web-based management interface. An attacker on the same network could exploit this vulnerability by performing brute force attacks against administrative credentials, leading to unauthorized access with root privileges on the targeted device. |