Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

CWE-307 (过多认证尝试的限制不恰当) — Vulnerability Class 342

342 vulnerabilities classified as CWE-307 (过多认证尝试的限制不恰当). AI Chinese analysis included.

CWE-307 represents a critical authentication weakness where systems fail to adequately restrict the number of login attempts within a specific timeframe. This vulnerability is typically exploited by attackers conducting brute-force or credential stuffing attacks, allowing them to systematically guess valid usernames and passwords until access is granted. Without proper safeguards, automated tools can rapidly cycle through extensive password dictionaries, compromising user accounts and sensitive data. To mitigate this risk, developers must implement robust countermeasures such as account lockout policies after a defined number of failures, progressive delays between login attempts, or CAPTCHA challenges to distinguish human users from bots. Additionally, integrating multi-factor authentication provides an essential layer of defense, ensuring that even if credentials are compromised, unauthorized access remains blocked.

MITRE CWE Description
The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame.
Common Consequences (1)
Access ControlBypass Protection Mechanism
An attacker could perform an arbitrary number of authentication attempts using different passwords, and eventually gain access to the targeted account using a brute force attack.
Mitigations (2)
Architecture and DesignCommon protection mechanisms include: Disconnecting the user after a small number of failed attempts Implementing a timeout Locking out a targeted account Requiring a computational task on the user's part.
Architecture and DesignUse a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482]. Consider using libraries with authentication capabilities such as OpenSSL or the ESAPI Authenticator. [REF-45]
Examples (2)
In January 2009, an attacker was able to gain administrator access to a Twitter server because the server did not restrict the number of login attempts [REF-236]. The attacker targeted a member of Twitter's support team and was able to successfully guess the member's password using a brute force attack by guessing a large number of common words. After gaining access as the member of the support st…
The following code, extracted from a servlet's doPost() method, performs an authentication lookup every time the servlet is invoked.
String username = request.getParameter("username"); String password = request.getParameter("password"); int authResult = authenticateUser(username, password);
Bad · Java
CVE IDTitleCVSSSeverityPublished
CVE-2025-0417 Valmet DNA Lack of protection against brute force attacks — Valmet DNA 9.1AICriticalAI2025-04-01
CVE-2025-2911 Improper Restriction of Excessive Authentication Attempts vulnerability in MeetMe products — MeetMe 9.1 -2025-03-28
CVE-2025-1496 Improper Authentication in BG-TEK's Coslat Hotspot — Coslat Hotspot 6.5 Medium2025-03-20
CVE-2024-12039 Improper Restriction of Excessive Authentication Attempts in langgenius/dify — langgenius/dify 9.8 -2025-03-20
CVE-2024-51476 IBM Concert Software information disclosure — Concert Software 7.5 High2025-03-06
CVE-2025-23368 Org.wildfly.core:wildfly-elytron-integration: wildfly elytron brute force attack via cli 8.1 High2025-03-04
CVE-2025-1629 Excitel Broadband Private my Excitel App One-Time Password excessive authentication — my Excitel App 3.5 Low2025-02-24
CVE-2025-24806 Regulation applies separately to Username-based logins to Email-based logins in authelia — authelia 9.1 -2025-02-19
CVE-2025-22645 WordPress Real Estate Manager plugin <= 7.3 - Captcha Bypass Vulnerability vulnerability — Real Estate Manager 5.3 Medium2025-02-18
CVE-2024-23106 Fortinet FortiClientEMS 安全漏洞 — FortiClientEMS 7.7 High2025-01-14
CVE-2024-8429 Improper Authentication in Digital Operation Services' WiFiBurada — WiFiBurada 4.3 Medium2024-12-17
CVE-2024-38488 Dell RecoverPoint for Virtual Machines 安全漏洞 — RecoverPoint for Virtual Machines 6.5 Medium2024-12-13
CVE-2024-9928 Hitachi Energy NSD570 安全漏洞 — NSD570 Teleprotection Equipment 5.3 Medium2024-11-26
CVE-2024-49597 Dell Wyse Management Suite 安全漏洞 — Wyse Management Suite 7.6 High2024-11-26
CVE-2024-5716 Logsign Unified SecOps Platform Authentication Bypass Vulnerability — Unified SecOps Platform 9.8 -2024-11-22
CVE-2024-0787 Improper Restriction of Excessive Authentication Attempts in phpipam/phpipam — phpipam/phpipam 9.8AICriticalAI2024-11-15
CVE-2024-9832 No limit on failed login attempts with Clinician Password or Serial Number Clinician Password on Life2000 Ventilator — Life2000 Ventilation System 9.3 Critical2024-11-14
CVE-2024-51720 Vulnerabilities in SecuSUITE Server Components Impact SecuSUITE — SecuSUITE 4.8 Medium2024-11-12
CVE-2024-11126 Digistar AG-30 Plus Login Page excessive authentication — AG-30 Plus 3.1 Low2024-11-12
CVE-2024-47592 Information Disclosure Vulnerability in SAP NetWeaver Application Server Java (Logon Application) — SAP NetWeaver Application Server Java (Logon Application) 5.3 Medium2024-11-12
CVE-2024-51558 Brute Force Attack Vulnerability in Wave 2.0 — Wave 2.0 9.8AICriticalAI2024-11-04
CVE-2024-7292 Account Controller allows high count of login attempts — Telerik Report Server 7.5 High2024-10-09
CVE-2024-47656 User Enumeration vulnerability — Client Dashboard 9.8 -2024-10-04
CVE-2024-47088 User Enumeration vulnerability — LD Geo 9.8AICriticalAI2024-09-19
CVE-2024-5682 User Enumeration in Yordam Information Technology's Yordam Library Automation System — Yordam Library Automation System 9.1AICriticalAI2024-09-18
CVE-2024-45790 User Enumeration vulnerability — Mutual Fund Distribution Product (aiM-Star) 9.8AICriticalAI2024-09-11
CVE-2024-45327 Fortinet FortiSOAR 安全漏洞 — FortiSOAR 7.1 High2024-09-11
CVE-2024-32771 QTS, QuTS hero — QTS 2.6 Low2024-09-06
CVE-2024-8462 Windmill HTTP Request users.rs excessive authentication — Windmill 3.7 Low2024-09-05
CVE-2024-42466 Lack of resources and rate limiting - login — upKeeper Manager 9.8AICriticalAI2024-08-16

Vulnerabilities classified as CWE-307 (过多认证尝试的限制不恰当) represent 342 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.