VYPR

CWE-307

Improper Restriction of Excessive Authentication Attempts

BaseDraft

Description

The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame.

Hierarchy (View 1000)

Children

none

Related attack patterns (CAPEC)

CAPEC-16 · CAPEC-49 · CAPEC-560 · CAPEC-565 · CAPEC-600 · CAPEC-652 · CAPEC-653

CVEs mapped to this weakness (225)

page 2 of 12
  • CVE-2017-7898CriJun 30, 2017
    risk 0.64cvss 9.8epss 0.05

    An Improper Restriction of Excessive Authentication Attempts issue was discovered in Rockwell Automation Allen-Bradley MicroLogix 1100 programmable-logic controllers 1763-L16AWA, Series A and B, Version 16.00 and prior versions; 1763-L16BBB, Series A and B, Version 16.00 and…

  • CVE-2017-1197CriJun 15, 2017
    risk 0.64cvss 9.8epss 0.02

    IBM BigFix Compliance (TEMA SUAv1 SCA SCM) uses an inadequate account lockout setting that could allow a remote attacker to brute force account credentials. IBM X-Force ID: 123672.

  • CVE-2017-7915CriMay 29, 2017
    risk 0.64cvss 9.8epss 0.02

    An Improper Restriction of Excessive Authentication Attempts issue was discovered in Moxa OnCell G3110-HSPA Version 1.3 build 15082117 and previous versions, OnCell G3110-HSDPA Version 1.2 Build 09123015 and previous versions, OnCell G3150-HSDPA Version 1.4 Build 11051315 and…

  • CVE-2016-9124CriMar 28, 2017
    risk 0.64cvss 9.8epss 0.02

    Revive Adserver before 3.2.3 suffers from Improper Restriction of Excessive Authentication Attempts. The login page of Revive Adserver is vulnerable to password-guessing attacks. An account lockdown feature was considered, but rejected to avoid introducing service disruptions to…

  • CVE-2016-9366CriFeb 13, 2017
    risk 0.64cvss 9.8epss 0.02

    An issue was discovered in Moxa NPort 5110 versions prior to 2.6, NPort 5130/5150 Series versions prior to 3.6, NPort 5200 Series versions prior to 2.8, NPort 5400 Series versions prior to 3.11, NPort 5600 Series versions prior to 3.7, NPort 5100A Series & NPort P5150A versions…

  • CVE-2001-0395CriJul 2, 2001
    risk 0.64cvss 9.8epss 0.02

    Lightwave ConsoleServer 3200 does not disconnect users after unsuccessful login attempts, which could allow remote attackers to conduct brute force password guessing.

  • CVE-1999-1324CriDec 31, 1999
    risk 0.64cvss 9.8epss 0.03

    VAXstations running Open VMS 5.3 through 5.5-2 with VMS DECwindows or MOTIF do not properly disable access to user accounts that exceed the break-in limit threshold for failed login attempts, which makes it easier for attackers to conduct brute force password guessing.

  • CVE-2025-4319CriJan 23, 2026
    risk 0.61cvss 9.4epss 0.00

    Improper Restriction of Excessive Authentication Attempts, Weak Password Recovery Mechanism for Forgotten Password vulnerability in Birebirsoft Software and Technology Solutions Sufirmam allows Brute Force, Password Recovery Exploitation. This issue affects Sufirmam: through…

  • CVE-2025-6030CriJun 13, 2025
    risk 0.61cvss epss 0.00

    Use of fixed learning codes, one code to lock the car and the other code to unlock it, in the Key Fob Transmitter in Cyclone Matrix TRF Smart Keyless Entry System, which allows a replay attack. Research was completed on the 2024 KIA Soluto.  Attack confirmed on other KIA…

  • CVE-2025-6029CriJun 13, 2025
    risk 0.61cvss epss 0.01

    Use of fixed learning codes, one code to lock the car and the other code to unlock it, the Key Fob Transmitter in KIA-branded Aftermarket Generic Smart Keyless Entry System, primarily distributed in Ecuador, which allows a replay attack. Manufacture is unknown at the time of…

  • CVE-2025-4383CriJun 24, 2025
    risk 0.60cvss 9.3epss 0.00

    Improper Restriction of Excessive Authentication Attempts vulnerability in Art-in Bilişim Teknolojileri ve Yazılım Hizm. Tic. Ltd. Şti. Wi-Fi Cloud Hotspot allows Authentication Abuse, Authentication Bypass. This issue affects Wi-Fi Cloud Hotspot: before 30.05.2025.

  • CVE-2024-9832CriNov 14, 2024
    risk 0.60cvss 9.3epss 0.00

    There is no limit on the number of failed login attempts permitted with the Clinician Password or the Serial Number Clinician Password. An attacker could execute a brute-force attack to gain unauthorized access to the ventilator, and then make changes to device settings that…

  • CVE-2014-5414CriOct 5, 2016
    risk 0.60cvss 9.1epss 0.05

    Beckhoff Embedded PC images before 2014-10-22 and Automation Device Specification (ADS) TwinCAT components do not restrict the number of authentication attempts, which makes it easier for remote attackers to obtain access via a brute-force attack.

  • CVE-2025-69615CriMar 10, 2026
    risk 0.59cvss 9.1epss 0.00

    Incorrect Access Control via missing 2FA rate-limiting allowing unlimited brute-force retries and full MFA bypass with no user interaction required. Affected Product: Deutsche Telekom AG Telekom Account Management Portal, versions before 2025-10-24, fixed 2025-11-03.

  • CVE-2025-1928CriDec 19, 2025
    risk 0.59cvss 9.1epss 0.00

    Improper Restriction of Excessive Authentication Attempts vulnerability in Restajet Information Technologies Inc. Online Food Delivery System allows Password Recovery Exploitation. This issue affects Online Food Delivery System: through 19122025. NOTE: The vendor was contacted…

  • CVE-2024-48143CriOct 24, 2024
    risk 0.59cvss 9.1epss 0.00

    A lack of rate limiting in the OTP validation component of Digitory Multi Channel Integrated POS v1.0 allows attackers to gain access to the ordering system and place an excessive amount of food orders.

  • CVE-2024-45523CriSep 18, 2024
    risk 0.59cvss 9.1epss 0.00

    An issue was discovered in Bravura Security Fabric versions 12.3.x before 12.3.5.32784, 12.4.x before 12.4.3.35110, 12.5.x before 12.5.2.35950, 12.6.x before 12.6.2.37183, and 12.7.x before 12.7.1.38241. An unauthenticated attacker can cause a resource leak by issuing multiple…

  • CVE-2026-3329HigJun 11, 2026
    risk 0.57cvss epss 0.01

    A remote unauthenticated attacker may be able to conduct credential-guessing attacks against user accounts in Sonatype Nexus Repository via authentication endpoints.

  • CVE-2026-36607HigJun 3, 2026
    risk 0.57cvss 8.8epss 0.00

    Mercusys AC12G (EU) V1 router with firmware AC12G(EU)_V1_200909 allows unauthenticated brute-force attacks via the TDDP password change endpoint (code=10), which lacks the rate limiting applied to the login endpoint (code=7). An attacker on the adjacent network can attempt…

  • CVE-2026-8760CriMay 27, 2026
    risk 0.57cvss 9.8epss 0.01

    The Login with OTP plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.6. This is due to an incomplete fix for CVE-2024-11178: the rate-limit/lockout check added to `otpl_login_action()` was placed only inside the OTP-generation…