Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-307 (过多认证尝试的限制不恰当) — Vulnerability Class 332

332 vulnerabilities classified as CWE-307 (过多认证尝试的限制不恰当). AI Chinese analysis included.

CWE-307 represents a critical authentication weakness where systems fail to adequately restrict the number of login attempts within a specific timeframe. This vulnerability is typically exploited by attackers conducting brute-force or credential stuffing attacks, allowing them to systematically guess valid usernames and passwords until access is granted. Without proper safeguards, automated tools can rapidly cycle through extensive password dictionaries, compromising user accounts and sensitive data. To mitigate this risk, developers must implement robust countermeasures such as account lockout policies after a defined number of failures, progressive delays between login attempts, or CAPTCHA challenges to distinguish human users from bots. Additionally, integrating multi-factor authentication provides an essential layer of defense, ensuring that even if credentials are compromised, unauthorized access remains blocked.

MITRE CWE Description
The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame.
Common Consequences (1)
Access ControlBypass Protection Mechanism
An attacker could perform an arbitrary number of authentication attempts using different passwords, and eventually gain access to the targeted account using a brute force attack.
Mitigations (2)
Architecture and DesignCommon protection mechanisms include: Disconnecting the user after a small number of failed attempts Implementing a timeout Locking out a targeted account Requiring a computational task on the user's part.
Architecture and DesignUse a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482]. Consider using libraries with authentication capabilities such as OpenSSL or the ESAPI Authenticator. [REF-45]
Examples (2)
In January 2009, an attacker was able to gain administrator access to a Twitter server because the server did not restrict the number of login attempts [REF-236]. The attacker targeted a member of Twitter's support team and was able to successfully guess the member's password using a brute force attack by guessing a large number of common words. After gaining access as the member of the support st…
The following code, extracted from a servlet's doPost() method, performs an authentication lookup every time the servlet is invoked.
String username = request.getParameter("username"); String password = request.getParameter("password"); int authResult = authenticateUser(username, password);
Bad · Java
CVE IDTitleCVSSSeverityPublished
CVE-2025-10658 SupportCandy – Helpdesk & Customer Support Ticket System <= 3.3.7 - Authentication Bypass to Support Session Takeover — SupportCandy – Helpdesk & Customer Support Ticket System 6.5 Medium2025-09-20
CVE-2025-54860 Cognex In-Sight Explorer and In-Sight Camera Firmware Improper Restriction of Excessive Authentication Attempts — In-Sight 2000 series 7.7 High2025-09-18
CVE-2025-36758 Bypass of bruteforce protection in SolaX Cloud — SolaX Cloud 9.8AICriticalAI2025-09-10
CVE-2025-57815 Fides Lacks Brute-Force Protections on Authentication Endpoints — fides 9.8AICriticalAI2025-09-08
CVE-2025-2411 OTP Bypass in Akinsoft's TaskPano — TaskPano 8.6 High2025-09-04
CVE-2025-2417 OTP Bypass in Akinsoft's e-Mutabakat — e-Mutabakat 8.6 High2025-09-04
CVE-2025-2416 OTP Bypass in Akinsoft's LimonDesk — LimonDesk 8.6 High2025-09-03
CVE-2025-2415 OTP Bypass in Akinsoft's MyRezzta — MyRezzta 8.6 High2025-09-03
CVE-2025-1740 Authentication Bypass in Akinsoft's MyRezzta — MyRezzta 9.8 Critical2025-09-03
CVE-2025-2413 OTP Bypass in Akinsoft's ProKuafor — ProKuafor 8.6 High2025-09-02
CVE-2025-2414 OTP Bypass in Akinsoft's OctoCloud — OctoCloud 8.6 High2025-09-02
CVE-2025-2412 OTP Bypass in Akinsoft's QR Menu — QR Menu 8.6 High2025-09-01
CVE-2025-9004 mtons mblog password excessive authentication — mblog 3.7 Low2025-08-15
CVE-2025-8927 mtons mblog Verification Code send_code excessive authentication — mblog 3.7 Low2025-08-13
CVE-2025-55003 OpenBao Login MFA Bypasses Rate Limiting and TOTP Token Reuse — openbao 5.7 Medium2025-08-09
CVE-2025-54998 OpenBao Userpass and LDAP User Lockout Bypass — openbao 5.3 Medium2025-08-09
CVE-2025-8742 macrozheng mall Admin Login excessive authentication — mall 3.7 Low2025-08-08
CVE-2025-46414 EG4 Electronics EG4 Inverters Improper Restriction of Excessive Authentication Attempts — EG4 12kPV 8.1 High2025-08-08
CVE-2025-53544 Trilium Notes is Vulnerable to Brute-force Protection Bypass via Initial Sync Seed Retrieval — Trilium 7.5 High2025-08-05
CVE-2025-6015 Vault Login MFA Bypass of Rate Limiting and TOTP Code Reuse — Vault 5.7 Medium2025-08-01
CVE-2025-6004 Vault Userpass and LDAP User Lockout Bypass — Vault 5.3 Medium2025-08-01
CVE-2023-32251 Kernel: ksmbd brute force delay bypass via asynchronous requests 3.7 Low2025-07-31
CVE-2025-54833 OPEXUS FOIAXpress Public Access Link (PAL) account-lockout and CAPTCHA protection bypass — FOIAXpress Public Access Link (PAL) 5.3 Medium2025-07-31
CVE-2024-49342 IBM Informix Dynamic Server information disclosure — Informix Dynamic Server 7.5 High2025-07-28
CVE-2025-7393 Mail Login - Critical - Access bypass - SA-CONTRIB-2025-088 — Mail Login 9.8 -2025-07-21
CVE-2025-7882 Mercusys MW301R Login excessive authentication — MW301R 3.1 Low2025-07-20
CVE-2024-9342 Eclipse GlassFish 安全漏洞 — Eclipse Glassfish 9.8 -2025-07-16
CVE-2025-27456 CVE-2025-27456 — Endress+Hauser MEAC300-FNADE4 7.5 High2025-07-03
CVE-2025-27449 CVE-2025-27449 — Endress+Hauser MEAC300-FNADE4 7.5 High2025-07-03
CVE-2025-1710 CVE-2025-1710 — Endress+Hauser MEAC300-FNADE4 7.5 High2025-07-03

Vulnerabilities classified as CWE-307 (过多认证尝试的限制不恰当) represent 332 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.