Total
375 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-45404 | 1 Citeum | 1 Opencti | 2025-05-17 | N/A | 8.1 HIGH |
| OpenCTI is an open-source cyber threat intelligence platform. In versions below 6.2.18, because the function to limit the rate of OTP does not exist, an attacker with valid credentials or a malicious user who commits internal fraud can break through the two-factor authentication and hijack the account. This is because the otpLogin mutation does not implement One Time Password rate limiting. As of time of publication, it is unknown whether a patch is available. | |||||
| CVE-2022-33106 | 1 Wijungle | 2 U250, U250 Firmware | 2025-05-16 | N/A | 9.8 CRITICAL |
| WiJungle NGFW Version U250 was discovered to be vulnerable to No Rate Limit attack, allowing the attacker to brute force the admin password leading to Account Take Over. | |||||
| CVE-2022-40055 | 1 Gxgroup | 2 Gpon Ont Titanium 2122a, Gpon Ont Titanium 2122a Firmware | 2025-05-14 | N/A | 9.8 CRITICAL |
| An issue in GX Group GPON ONT Titanium 2122A T2122-V1.26EXL allows attackers to escalate privileges via a brute force attack at the login page. | |||||
| CVE-2025-3709 | 1 Flowring | 1 Agentflow | 2025-05-07 | N/A | 9.8 CRITICAL |
| Agentflow from Flowring Technology has an Account Lockout Bypass vulnerability, allowing unauthenticated remote attackers to exploit this vulnerability to perform password brute force attack. | |||||
| CVE-2022-44022 | 1 Pwndoc Project | 1 Pwndoc | 2025-05-07 | N/A | 5.3 MEDIUM |
| PwnDoc through 0.5.3 might allow remote attackers to identify valid user account names by leveraging response timings for authentication attempts. | |||||
| CVE-2023-27172 | 1 Xpand-it | 1 Write-back Manager | 2025-05-06 | N/A | 9.1 CRITICAL |
| Xpand IT Write-back Manager v2.3.1 uses weak secret keys to sign JWT tokens. This allows attackers to easily obtain the secret key used to sign JWT tokens via a bruteforce attack. | |||||
| CVE-2024-28022 | 1 Hitachienergy | 2 Foxman-un, Unem | 2025-04-29 | N/A | 6.5 MEDIUM |
| A vulnerability exists in the UNEM server / APIGateway that if exploited allows a malicious user to perform an arbitrary number of authentication attempts using different passwords, and eventually gain access to other components in the same security realm using the targeted account. | |||||
| CVE-2022-37772 | 1 Maarch | 1 Maarch Rm | 2025-04-25 | N/A | 7.5 HIGH |
| Maarch RM 2.8.3 solution contains an improper restriction of excessive authentication attempts due to excessive verbose responses from the application. An unauthenticated remote attacker could potentially exploit this vulnerability, leading to compromised accounts. | |||||
| CVE-2022-23746 | 1 Checkpoint | 1 Ssl Network Extender | 2025-04-25 | N/A | 7.5 HIGH |
| The IPsec VPN blade has a dedicated portal for downloading and connecting through SSL Network Extender (SNX). If the portal is configured for username/password authentication, it is vulnerable to a brute-force attack on usernames and passwords. | |||||
| CVE-2025-42600 | 2025-04-23 | N/A | N/A | ||
| This vulnerability exists in Meon KYC solutions due to missing restrictions on the number of incorrect One-Time Password (OTP) attempts through certain API endpoints of login process. A remote attacker could exploit this vulnerability by performing a brute force attack on OTP, which could lead to gain unauthorized access to other user accounts. | |||||
| CVE-2021-22640 | 1 Ovarro | 15 Tbox Lt2-530, Tbox Lt2-530 Firmware, Tbox Lt2-532 and 12 more | 2025-04-17 | N/A | 9.8 CRITICAL |
| An attacker can decrypt the Ovarro TBox login password by communication capture and brute force attacks. | |||||
| CVE-2022-45893 | 1 Planetestream | 1 Planet Estream | 2025-04-14 | N/A | 8.8 HIGH |
| Planet eStream before 6.72.10.07 allows a low-privileged user to gain access to administrative and high-privileged user accounts by changing the value of the ON cookie. A brute-force attack can calculate a value that provides permanent access. | |||||
| CVE-2022-26964 | 1 Devolutions | 1 Remote Desktop Manager | 2025-04-14 | N/A | 7.5 HIGH |
| Weak password derivation for export in Devolutions Remote Desktop Manager before 2022.1 allows information disclosure via a password brute-force attack. An error caused base64 to be decoded. | |||||
| CVE-2024-24767 | 1 Icewhale | 1 Casaos | 2025-04-10 | N/A | 9.8 CRITICAL |
| CasaOS-UserService provides user management functionalities to CasaOS. Starting in version 0.4.4.3 and prior to version 0.4.7, CasaOS doesn't defend against password brute force attacks, which leads to having full access to the server. The web application lacks control over the login attempts. This vulnerability allows attackers to get super user-level access over the server. Version 0.4.7 contains a patch for this issue. | |||||
| CVE-2023-23730 | 1 Brainstormforce | 1 Spectra | 2025-04-10 | N/A | 5.3 MEDIUM |
| Improper Restriction of Excessive Authentication Attempts vulnerability in Brainstorm Force Spectra allows Functionality Bypass.This issue affects Spectra: from n/a through 2.3.0. | |||||
| CVE-2022-38491 | 1 Easyvista | 1 Service Manager | 2025-04-09 | N/A | 7.5 HIGH |
| An issue was discovered in EasyVista 2020.2.125.3 and 2022.1.109.0.03. Part of the application does not implement protection against brute-force attacks. Version 2022.1.133.0 corrects this issue. | |||||
| CVE-2023-22960 | 1 Lexmark | 256 B2236, B2236 Firmware, B2338 and 253 more | 2025-04-02 | N/A | 7.5 HIGH |
| Lexmark products through 2023-01-10 have Improper Control of Interaction Frequency. | |||||
| CVE-2021-27782 | 1 Hcltech | 1 Bigfix Mobile | 2025-04-02 | N/A | 7.5 HIGH |
| HCL BigFix Mobile / Modern Client Management Admin and Config UI passwords can be brute-forced. User should be locked out for multiple invalid attempts. | |||||
| CVE-2025-2911 | 2025-03-28 | N/A | N/A | ||
| Unauthorised access to the call forwarding service system in MeetMe products in versions prior to 2024-09 allows an attacker to identify multiple users and perform brute force attacks via extensions. | |||||
| CVE-2023-42818 | 1 Fit2cloud | 1 Jumpserver | 2025-03-25 | N/A | 9.8 CRITICAL |
| JumpServer is an open source bastion host. When users enable MFA and use a public key for authentication, the Koko SSH server does not verify the corresponding SSH private key. An attacker could exploit a vulnerability by utilizing a disclosed public key to attempt brute-force authentication against the SSH service This issue has been patched in versions 3.6.5 and 3.5.6. Users are advised to upgrade. There are no known workarounds for this issue. | |||||