CWE-307
AllowedImproper Restriction of Excessive Authentication Attempts
Abstraction: Base · Status: Draft
The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame.
902 vulnerabilities reference this CWE, most recent first.
GHSA-G7H3-M79W-RCRP
Vulnerability from github – Published: 2023-04-16 03:30 – Updated: 2024-04-04 03:29ENTAB ERP 1.0 allows attackers to discover users' full names via a brute force attack with a series of student usernames such as s10000 through s20000. There is no rate limiting.
{
"affected": [],
"aliases": [
"CVE-2022-30076"
],
"database_specific": {
"cwe_ids": [
"CWE-307"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-04-16T03:15:00Z",
"severity": "MODERATE"
},
"details": "ENTAB ERP 1.0 allows attackers to discover users\u0027 full names via a brute force attack with a series of student usernames such as s10000 through s20000. There is no rate limiting.",
"id": "GHSA-g7h3-m79w-rcrp",
"modified": "2024-04-04T03:29:50Z",
"published": "2023-04-16T03:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30076"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/171777/ENTAB-ERP-1.0-Information-Disclosure.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-G82J-WPRP-Q9Q9
Vulnerability from github – Published: 2024-05-14 18:30 – Updated: 2025-02-12 18:31KioWare for Windows (versions all through 8.35) allows to brute force the PIN number, which protects the application from being closed, as there are no mechanisms preventing a user from excessively guessing the number.
{
"affected": [],
"aliases": [
"CVE-2024-3461"
],
"database_specific": {
"cwe_ids": [
"CWE-307"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-14T15:41:13Z",
"severity": "MODERATE"
},
"details": "KioWare for Windows (versions all through 8.35)\u00a0allows to brute force the PIN number, which protects the application from being closed, as there are no mechanisms preventing a user from excessively guessing the number.",
"id": "GHSA-g82j-wprp-q9q9",
"modified": "2025-02-12T18:31:28Z",
"published": "2024-05-14T18:30:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3461"
},
{
"type": "WEB",
"url": "https://cert.pl/en/posts/2024/04/CVE-2024-3459"
},
{
"type": "WEB",
"url": "https://cert.pl/posts/2024/04/CVE-2024-3459"
},
{
"type": "WEB",
"url": "https://www.kioware.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-G889-QRP9-QWXW
Vulnerability from github – Published: 2025-10-31 00:30 – Updated: 2025-11-07 21:31Nagios Fusion versions prior to 2024R2.1 contain a brute-force bypass in the Two-Factor Authentication (2FA) implementation. The application did not properly enforce rate limiting or account lockout for repeated failed 2FA verification attempts, allowing a remote attacker to repeatedly try second-factor codes for a targeted account. By abusing the lack of enforcement, an attacker could eventually successfully authenticate to accounts protected by 2FA.
{
"affected": [],
"aliases": [
"CVE-2025-34249"
],
"database_specific": {
"cwe_ids": [
"CWE-307"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-30T22:15:47Z",
"severity": "CRITICAL"
},
"details": "Nagios Fusion versions prior to 2024R2.1\u00a0contain a brute-force bypass in the Two-Factor Authentication (2FA) implementation. The application did not properly enforce rate limiting or account lockout for repeated failed 2FA verification attempts, allowing a remote attacker to repeatedly try second-factor codes for a targeted account. By abusing the lack of enforcement, an attacker could eventually successfully authenticate to accounts protected by 2FA.",
"id": "GHSA-g889-qrp9-qwxw",
"modified": "2025-11-07T21:31:19Z",
"published": "2025-10-31T00:30:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-34249"
},
{
"type": "WEB",
"url": "https://www.nagios.com/changelog/nagios-fusion"
},
{
"type": "WEB",
"url": "https://www.nagios.com/products/security/#nagios-xi"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/nagios-fusion-2fa-brute-force-bypass"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-G93R-RWCJ-F35X
Vulnerability from github – Published: 2022-05-24 17:39 – Updated: 2024-04-11 15:30A vulnerability in the reclaim host role feature of Cisco Webex Meetings and Cisco Webex Meetings Server could allow an authenticated, remote attacker to take over the host role during a meeting. This vulnerability is due to a lack of protection against brute forcing of the host key. An attacker could exploit this vulnerability by sending crafted requests to a vulnerable Cisco Webex Meetings or Webex Meetings Server site. A successful exploit would require the attacker to have access to join a Webex meeting, including applicable meeting join links and passwords. A successful exploit could allow the attacker to acquire or take over the host role for a meeting.
{
"affected": [],
"aliases": [
"CVE-2021-1311"
],
"database_specific": {
"cwe_ids": [
"CWE-307"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-01-13T22:15:00Z",
"severity": "MODERATE"
},
"details": "A vulnerability in the reclaim host role feature of Cisco Webex Meetings and Cisco Webex Meetings Server could allow an authenticated, remote attacker to take over the host role during a meeting. This vulnerability is due to a lack of protection against brute forcing of the host key. An attacker could exploit this vulnerability by sending crafted requests to a vulnerable Cisco Webex Meetings or Webex Meetings Server site. A successful exploit would require the attacker to have access to join a Webex meeting, including applicable meeting join links and passwords. A successful exploit could allow the attacker to acquire or take over the host role for a meeting.",
"id": "GHSA-g93r-rwcj-f35x",
"modified": "2024-04-11T15:30:43Z",
"published": "2022-05-24T17:39:12Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-1311"
},
{
"type": "WEB",
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webex-brutef-hostkey-FWRMxVF"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-G9HJ-QPH5-HPX3
Vulnerability from github – Published: 2025-06-26 21:31 – Updated: 2026-06-05 18:31Improper Restriction of Excessive Authentication Attempts vulnerability in Art-in Bilişim Teknolojileri ve Yazılım Hizm. Tic. Ltd. Şti. Wi-Fi Cloud Hotspot allows Authentication Abuse, Authentication Bypass.This issue affects Wi-Fi Cloud Hotspot: before 30.05.2025.
{
"affected": [],
"aliases": [
"CVE-2025-4383"
],
"database_specific": {
"cwe_ids": [
"CWE-307"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-06-24T16:15:29Z",
"severity": "CRITICAL"
},
"details": "Improper Restriction of Excessive Authentication Attempts vulnerability in Art-in Bili\u015fim Teknolojileri ve Yaz\u0131l\u0131m Hizm. Tic. Ltd. \u015eti. Wi-Fi Cloud Hotspot allows Authentication Abuse, Authentication Bypass.This issue affects Wi-Fi Cloud Hotspot: before 30.05.2025.",
"id": "GHSA-g9hj-qph5-hpx3",
"modified": "2026-06-05T18:31:30Z",
"published": "2025-06-26T21:31:09Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-4383"
},
{
"type": "WEB",
"url": "https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0134"
},
{
"type": "WEB",
"url": "https://www.usom.gov.tr/bildirim/tr-25-0134"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-GC7Q-JGJV-VJR2
Vulnerability from github – Published: 2024-09-17 22:29 – Updated: 2024-09-17 22:29If an attacker launches many login attempts in parallel then the attacker can have more guesses at a password than the brute force protection configuration permits. This is due to the brute force check occurring before the brute force protector has locked the user.
Acknowledgements: Special thanks to Maurizio Agazzini for reporting this issue and helping us improve our project.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.keycloak:keycloak-services"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "22.0.12"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.keycloak:keycloak-services"
},
"ranges": [
{
"events": [
{
"introduced": "23.0.0"
},
{
"fixed": "24.0.7"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.keycloak:keycloak-services"
},
"ranges": [
{
"events": [
{
"introduced": "25.0.0"
},
{
"fixed": "25.0.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-4629"
],
"database_specific": {
"cwe_ids": [
"CWE-307",
"CWE-837"
],
"github_reviewed": true,
"github_reviewed_at": "2024-09-17T22:29:01Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "If an attacker launches many login attempts in parallel then the attacker can have more guesses at a password than the brute force protection configuration permits. This is due to the brute force check occurring before the brute force protector has locked the user.\n\n**Acknowledgements:**\nSpecial thanks to Maurizio Agazzini for reporting this issue and helping us improve our project.",
"id": "GHSA-gc7q-jgjv-vjr2",
"modified": "2024-09-17T22:29:01Z",
"published": "2024-09-17T22:29:01Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/keycloak/keycloak/security/advisories/GHSA-gc7q-jgjv-vjr2"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4629"
},
{
"type": "WEB",
"url": "https://github.com/keycloak/keycloak/commit/d78b3072ffffbff3954bf9f3181e3daf8e93c1ab"
},
{
"type": "WEB",
"url": "https://github.com/keycloak/keycloak/commit/c8053dd812d9b9f05b293f901b9dc39e061ebb88"
},
{
"type": "WEB",
"url": "https://github.com/keycloak/keycloak/commit/b25c28458a562abda2f84fc684e59cce8577e562"
},
{
"type": "WEB",
"url": "https://github.com/keycloak/keycloak/commit/99f92ad5fff5555d53930c2d32f8be3e08c514c1"
},
{
"type": "WEB",
"url": "https://github.com/keycloak/keycloak/commit/461fa631dc55b9739c9ed8c49de9f5b213955200"
},
{
"type": "WEB",
"url": "https://github.com/keycloak/keycloak/commit/2fb358e1a21c5387cdc11100ce3562b4dcfe5416"
},
{
"type": "PACKAGE",
"url": "https://github.com/keycloak/keycloak"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2276761"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2024-4629"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:6501"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:6500"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:6499"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:6497"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:6495"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:6494"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:6493"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Keycloak Services has a potential bypass of brute force protection"
}
GHSA-GF35-787V-RV28
Vulnerability from github – Published: 2022-05-05 00:29 – Updated: 2024-04-03 23:58The Phonemes mode in Pwgen 2.06 generates predictable passwords, which makes it easier for context-dependent attackers to guess the password via a brute-force attack.
{
"affected": [],
"aliases": [
"CVE-2013-4441"
],
"database_specific": {
"cwe_ids": [
"CWE-307"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-01-27T17:15:00Z",
"severity": "CRITICAL"
},
"details": "The Phonemes mode in Pwgen 2.06 generates predictable passwords, which makes it easier for context-dependent attackers to guess the password via a brute-force attack.",
"id": "GHSA-gf35-787v-rv28",
"modified": "2024-04-03T23:58:00Z",
"published": "2022-05-05T00:29:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-4441"
},
{
"type": "WEB",
"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=726578"
},
{
"type": "WEB",
"url": "https://www.openwall.com/lists/oss-security/2012/01/22/6"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2013/06/06/1"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2013/10/16/15"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-GF5X-HRMG-CJ8W
Vulnerability from github – Published: 2023-06-13 09:30 – Updated: 2024-04-04 04:45An Improper Restriction of Excessive Authentication Attempts [CWE-307] in FortiSIEM below 7.0.0 may allow a non-privileged user with access to several endpoints to brute force attack these endpoints.
{
"affected": [],
"aliases": [
"CVE-2022-42478"
],
"database_specific": {
"cwe_ids": [
"CWE-307"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-06-13T09:15:15Z",
"severity": "HIGH"
},
"details": "An Improper Restriction of Excessive Authentication Attempts [CWE-307] in FortiSIEM below 7.0.0 may allow a non-privileged user with access to several endpoints to brute force attack these endpoints.",
"id": "GHSA-gf5x-hrmg-cj8w",
"modified": "2024-04-04T04:45:25Z",
"published": "2023-06-13T09:30:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42478"
},
{
"type": "WEB",
"url": "https://fortiguard.com/psirt/FG-IR-22-258"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-GG5H-3CQ7-J6HC
Vulnerability from github – Published: 2025-09-22 21:30 – Updated: 2025-09-22 21:30IBM Sterling Connect:Express for Microsoft Windows 3.1.0.0 through 3.1.0.22 uses an inadequate account lockout setting that could allow a remote attacker to brute force account credentials.
{
"affected": [],
"aliases": [
"CVE-2025-36064"
],
"database_specific": {
"cwe_ids": [
"CWE-307"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-22T19:15:40Z",
"severity": "MODERATE"
},
"details": "IBM Sterling Connect:Express for Microsoft Windows 3.1.0.0 through 3.1.0.22 uses an inadequate account lockout setting that could allow a remote attacker to brute force account credentials.",
"id": "GHSA-gg5h-3cq7-j6hc",
"modified": "2025-09-22T21:30:21Z",
"published": "2025-09-22T21:30:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-36064"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7245761"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-GJM9-QJC7-5G2H
Vulnerability from github – Published: 2022-05-13 01:19 – Updated: 2022-05-13 01:19index.php?r=site%2Flogin in EduSec through 4.2.6 does not restrict sending a series of LoginForm[username] and LoginForm[password] parameters, which might make it easier for remote attackers to obtain access via a brute-force approach.
{
"affected": [],
"aliases": [
"CVE-2018-19548"
],
"database_specific": {
"cwe_ids": [
"CWE-307"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-11-26T07:29:00Z",
"severity": "CRITICAL"
},
"details": "index.php?r=site%2Flogin in EduSec through 4.2.6 does not restrict sending a series of LoginForm[username] and LoginForm[password] parameters, which might make it easier for remote attackers to obtain access via a brute-force approach.",
"id": "GHSA-gjm9-qjc7-5g2h",
"modified": "2022-05-13T01:19:48Z",
"published": "2022-05-13T01:19:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-19548"
},
{
"type": "WEB",
"url": "https://github.com/EduSec/EduSec/issues/14"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
- Common protection mechanisms include:
- Disconnecting the user after a small number of failed attempts
- Implementing a timeout
- Locking out a targeted account
- Requiring a computational task on the user's part.
Mitigation MIT-4
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482].
- Consider using libraries with authentication capabilities such as OpenSSL or the ESAPI Authenticator. [REF-45]
CAPEC-16: Dictionary-based Password Attack
An attacker tries each of the words in a dictionary as passwords to gain access to the system via some user's account. If the password chosen by the user was a word within the dictionary, this attack will be successful (in the absence of other mitigations). This is a specific instance of the password brute forcing attack pattern.
Dictionary Attacks differ from similar attacks such as Password Spraying (CAPEC-565) and Credential Stuffing (CAPEC-600), since they leverage unknown username/password combinations and don't care about inducing account lockouts.
CAPEC-49: Password Brute Forcing
An adversary tries every possible value for a password until they succeed. A brute force attack, if feasible computationally, will always be successful because it will essentially go through all possible passwords given the alphabet used (lower case letters, upper case letters, numbers, symbols, etc.) and the maximum length of the password.
CAPEC-560: Use of Known Domain Credentials
An adversary guesses or obtains (i.e. steals or purchases) legitimate credentials (e.g. userID/password) to achieve authentication and to perform authorized actions under the guise of an authenticated user or service.
CAPEC-565: Password Spraying
In a Password Spraying attack, an adversary tries a small list (e.g. 3-5) of common or expected passwords, often matching the target's complexity policy, against a known list of user accounts to gain valid credentials. The adversary tries a particular password for each user account, before moving onto the next password in the list. This approach assists the adversary in remaining undetected by avoiding rapid or frequent account lockouts. The adversary may then reattempt the process with additional passwords, once enough time has passed to prevent inducing a lockout.
CAPEC-600: Credential Stuffing
An adversary tries known username/password combinations against different systems, applications, or services to gain additional authenticated access. Credential Stuffing attacks rely upon the fact that many users leverage the same username/password combination for multiple systems, applications, and services.
CAPEC-652: Use of Known Kerberos Credentials
An adversary obtains (i.e. steals or purchases) legitimate Kerberos credentials (e.g. Kerberos service account userID/password or Kerberos Tickets) with the goal of achieving authenticated access to additional systems, applications, or services within the domain.
CAPEC-653: Use of Known Operating System Credentials
An adversary guesses or obtains (i.e. steals or purchases) legitimate operating system credentials (e.g. userID/password) to achieve authentication and to perform authorized actions on the system, under the guise of an authenticated user or service. This applies to any Operating System.