Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2025-64102

Summary
Assigner-GitHub_M
Assigner Org ID-a0819718-46f1-4df5-94e2-005712e83aaa
Published At-29 Oct, 2025 | 18:36
Updated At-30 Oct, 2025 | 14:53
Rejected At-
Credits

Zitadel allows brute-forcing authentication factors

Zitadel is open-source identity infrastructure software. Prior to 4.6.0, 3.4.3, and 2.71.18, an attacker can perform an online brute-force attack on OTP, TOTP, and passwords. While Zitadel allows preventing online brute force attacks in scenarios like TOTP, Email OTP, or passwords using a lockout mechanism. The mechanism is not enabled by default and can cause a denial of service for the corresponding user if enabled. Additionally, the mitigation strategies were not fully implemented in the more recent resource-based APIs. This vulnerability is fixed in 4.6.0, 3.4.3, and 2.71.18.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
â–¼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:GitHub_M
Assigner Org ID:a0819718-46f1-4df5-94e2-005712e83aaa
Published At:29 Oct, 2025 | 18:36
Updated At:30 Oct, 2025 | 14:53
Rejected At:
â–¼CVE Numbering Authority (CNA)
Zitadel allows brute-forcing authentication factors

Zitadel is open-source identity infrastructure software. Prior to 4.6.0, 3.4.3, and 2.71.18, an attacker can perform an online brute-force attack on OTP, TOTP, and passwords. While Zitadel allows preventing online brute force attacks in scenarios like TOTP, Email OTP, or passwords using a lockout mechanism. The mechanism is not enabled by default and can cause a denial of service for the corresponding user if enabled. Additionally, the mitigation strategies were not fully implemented in the more recent resource-based APIs. This vulnerability is fixed in 4.6.0, 3.4.3, and 2.71.18.

Affected Products
Vendor
zitadel
Product
zitadel
Versions
Affected
  • >= 4.0.0-rc.1, < 4.6.0
  • >= 3.0.0-rc.1, < 3.4.3
  • >= 2.0.0, < 2.71.18
Problem Types
TypeCWE IDDescription
CWECWE-307CWE-307: Improper Restriction of Excessive Authentication Attempts
Type: CWE
CWE ID: CWE-307
Description: CWE-307: Improper Restriction of Excessive Authentication Attempts
Metrics
VersionBase scoreBase severityVector
4.07.7HIGH
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Version: 4.0
Base score: 7.7
Base severity: HIGH
Vector:
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://github.com/zitadel/zitadel/security/advisories/GHSA-xrw9-r35x-x878
x_refsource_CONFIRM
https://github.com/zitadel/zitadel/commit/b8db8cdf9cc8ea13f461758aef12457f8b7d972a
x_refsource_MISC
Hyperlink: https://github.com/zitadel/zitadel/security/advisories/GHSA-xrw9-r35x-x878
Resource:
x_refsource_CONFIRM
Hyperlink: https://github.com/zitadel/zitadel/commit/b8db8cdf9cc8ea13f461758aef12457f8b7d972a
Resource:
x_refsource_MISC
â–¼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
â–¼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security-advisories@github.com
Published At:29 Oct, 2025 | 19:15
Updated At:04 Nov, 2025 | 13:18

Zitadel is open-source identity infrastructure software. Prior to 4.6.0, 3.4.3, and 2.71.18, an attacker can perform an online brute-force attack on OTP, TOTP, and passwords. While Zitadel allows preventing online brute force attacks in scenarios like TOTP, Email OTP, or passwords using a lockout mechanism. The mechanism is not enabled by default and can cause a denial of service for the corresponding user if enabled. Additionally, the mitigation strategies were not fully implemented in the more recent resource-based APIs. This vulnerability is fixed in 4.6.0, 3.4.3, and 2.71.18.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary4.07.7HIGH
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary3.19.8CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Type: Secondary
Version: 4.0
Base score: 7.7
Base severity: HIGH
Vector:
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Type: Primary
Version: 3.1
Base score: 9.8
Base severity: CRITICAL
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CPE Matches
zitadel
zitadel
>>zitadel>>Versions before 2.71.18(exclusive)
cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*
zitadel
zitadel
>>zitadel>>Versions from 3.0.0(inclusive) to 3.4.3(exclusive)
cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*
zitadel
zitadel
>>zitadel>>Versions from 4.0.0(inclusive) to 4.6.0(exclusive)
cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-307Primarysecurity-advisories@github.com
CWE ID: CWE-307
Type: Primary
Source: security-advisories@github.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://github.com/zitadel/zitadel/commit/b8db8cdf9cc8ea13f461758aef12457f8b7d972asecurity-advisories@github.com
Patch
https://github.com/zitadel/zitadel/security/advisories/GHSA-xrw9-r35x-x878security-advisories@github.com
Vendor Advisory
Hyperlink: https://github.com/zitadel/zitadel/commit/b8db8cdf9cc8ea13f461758aef12457f8b7d972a
Source: security-advisories@github.com
Resource:
Patch
Hyperlink: https://github.com/zitadel/zitadel/security/advisories/GHSA-xrw9-r35x-x878
Source: security-advisories@github.com
Resource:
Vendor Advisory

Change History

0
Information is not available yet

Similar CVEs

164Records found
CVE-2024-46442
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.26% / 48.99%
||
7 Day CHG~0.00%
Published-10 Dec, 2024 | 00:00
Updated-11 Dec, 2024 | 15:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue in the BYD Dilink Headunit System v3.0 to v4.0 allows attackers to bypass authentication via a bruteforce attack.

Action-Not Available
Vendor-n/a
Product-n/a
CWE ID-CWE-307
Improper Restriction of Excessive Authentication Attempts
CVE-2020-7995
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.64% / 70.19%
||
7 Day CHG~0.00%
Published-26 Jan, 2020 | 22:44
Updated-04 Aug, 2024 | 09:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The htdocs/index.php?mainmenu=home login page in Dolibarr 10.0.6 allows an unlimited rate of failed authentication attempts.

Action-Not Available
Vendor-n/aDolibarr ERP & CRM
Product-dolibarr_erp\/crmn/a
CWE ID-CWE-307
Improper Restriction of Excessive Authentication Attempts
CVE-2020-6852
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.43% / 62.39%
||
7 Day CHG~0.00%
Published-02 Apr, 2020 | 14:49
Updated-04 Aug, 2024 | 09:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

CACAGOO Cloud Storage Intelligent Camera TV-288ZD-2MP with firmware 3.4.2.0919 has weak authentication of TELNET access, leading to root privileges without any password required.

Action-Not Available
Vendor-cacagoon/a
Product-tv-288zd-2mptv-288zd-2mp_firmwaren/a
CWE ID-CWE-307
Improper Restriction of Excessive Authentication Attempts
CVE-2020-7508
Matching Score-4
Assigner-Schneider Electric
ShareView Details
Matching Score-4
Assigner-Schneider Electric
CVSS Score-9.8||CRITICAL
EPSS-0.26% / 48.86%
||
7 Day CHG~0.00%
Published-16 Jun, 2020 | 19:44
Updated-04 Aug, 2024 | 09:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A CWE-307 Improper Restriction of Excessive Authentication Attempts vulnerability exists in Easergy T300 (Firmware version 1.5.2 and older) which could allow an attacker to gain full access by brute force.

Action-Not Available
Vendor-n/a
Product-easergy_t300easergy_t300_firmwareEasergy T300 (Firmware version 1.5.2 and older)
CWE ID-CWE-307
Improper Restriction of Excessive Authentication Attempts
CVE-2025-1740
Matching Score-4
Assigner-TR-CERT (Computer Emergency Response Team of the Republic of Türkiye)
ShareView Details
Matching Score-4
Assigner-TR-CERT (Computer Emergency Response Team of the Republic of Türkiye)
CVSS Score-9.8||CRITICAL
EPSS-0.08% / 23.35%
||
7 Day CHG~0.00%
Published-03 Sep, 2025 | 08:52
Updated-04 Sep, 2025 | 15:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Authentication Bypass in Akinsoft's MyRezzta

Improper Restriction of Excessive Authentication Attempts vulnerability in Akinsoft MyRezzta allows Authentication Bypass, Password Recovery Exploitation, Brute Force.This issue affects MyRezzta: from s2.03.01 before v2.05.01.

Action-Not Available
Vendor-AKINSOFT Software Engineering
Product-MyRezzta
CWE ID-CWE-307
Improper Restriction of Excessive Authentication Attempts
CVE-2025-12995
Matching Score-4
Assigner-Medtronic
ShareView Details
Matching Score-4
Assigner-Medtronic
CVSS Score-8.1||HIGH
EPSS-0.13% / 32.07%
||
7 Day CHG~0.00%
Published-04 Dec, 2025 | 20:03
Updated-22 Dec, 2025 | 18:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Medtronic CareLink Network allows an unauthenticated remote attacker to perform a brute force attack on an API endpoint that could be used to determine a valid password under certain circumstances. This issue affects CareLink Network: before December 4, 2025.

Action-Not Available
Vendor-medtronicMedtronic
Product-carelink_networkCareLink Network
CWE ID-CWE-307
Improper Restriction of Excessive Authentication Attempts
CVE-2020-28212
Matching Score-4
Assigner-Schneider Electric
ShareView Details
Matching Score-4
Assigner-Schneider Electric
CVSS Score-9.8||CRITICAL
EPSS-0.35% / 56.83%
||
7 Day CHG~0.00%
Published-19 Nov, 2020 | 21:03
Updated-04 Aug, 2024 | 16:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A CWE-307: Improper Restriction of Excessive Authentication Attempts vulnerability exists in PLC Simulator on EcoStruxureª Control Expert (now Unity Pro) (all versions) that could cause unauthorized command execution when a brute force attack is done over Modbus.

Action-Not Available
Vendor-n/a
Product-ecostruxure_control_expertPLC Simulator on EcoStruxureª Control Expert (now Unity Pro) (all versions)
CWE ID-CWE-307
Improper Restriction of Excessive Authentication Attempts
CVE-2021-22915
Matching Score-4
Assigner-HackerOne
ShareView Details
Matching Score-4
Assigner-HackerOne
CVSS Score-9.8||CRITICAL
EPSS-0.44% / 62.84%
||
7 Day CHG-0.05%
Published-11 Jun, 2021 | 15:49
Updated-03 Aug, 2024 | 18:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Nextcloud server before 19.0.11, 20.0.10, 21.0.2 is vulnerable to brute force attacks due to lack of inclusion of IPv6 subnets in rate-limiting considerations. This could potentially result in an attacker bypassing rate-limit controls such as the Nextcloud brute-force protection.

Action-Not Available
Vendor-n/aFedora ProjectNextcloud GmbH
Product-fedoranextcloud_serverNextcloud Server
CWE ID-CWE-307
Improper Restriction of Excessive Authentication Attempts
CVE-2024-9342
Matching Score-4
Assigner-Eclipse Foundation
ShareView Details
Matching Score-4
Assigner-Eclipse Foundation
CVSS Score-6.3||MEDIUM
EPSS-0.07% / 21.21%
||
7 Day CHG~0.00%
Published-16 Jul, 2025 | 10:14
Updated-16 Jul, 2025 | 19:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In Eclipse GlassFish version 7.0.16 or earlier it is possible to perform Login Brute Force attacks as there is no limitation in the number of failed login attempts.

Action-Not Available
Vendor-Eclipse Foundation AISBL
Product-glassfishEclipse Glassfish
CWE ID-CWE-307
Improper Restriction of Excessive Authentication Attempts
CVE-2020-21238
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.34% / 56.38%
||
7 Day CHG~0.00%
Published-27 Dec, 2021 | 22:23
Updated-04 Aug, 2024 | 14:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue in the user login box of CSCMS v4.0 allows attackers to hijack user accounts via brute force attacks.

Action-Not Available
Vendor-chshcmsn/a
Product-cscmsn/a
CWE ID-CWE-307
Improper Restriction of Excessive Authentication Attempts
CVE-2024-5716
Matching Score-4
Assigner-Zero Day Initiative
ShareView Details
Matching Score-4
Assigner-Zero Day Initiative
CVSS Score-8.6||HIGH
EPSS-0.34% / 56.26%
||
7 Day CHG~0.00%
Published-22 Nov, 2024 | 20:05
Updated-10 Jul, 2025 | 16:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Logsign Unified SecOps Platform Authentication Bypass Vulnerability

Logsign Unified SecOps Platform Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of Logsign Unified SecOps Platform. Authentication is not required to exploit this vulnerability. The specific flaw exists within the password reset mechanism. The issue results from the lack of restriction of excessive authentication attempts. An attacker can leverage this vulnerability to reset a user's password and bypass authentication on the system. Was ZDI-CAN-24164.

Action-Not Available
Vendor-logsignLogsignlogsign
Product-unified_secops_platformUnified SecOps Platformunified_secops
CWE ID-CWE-307
Improper Restriction of Excessive Authentication Attempts
CVE-2020-14484
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
ShareView Details
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
CVSS Score-9.8||CRITICAL
EPSS-0.24% / 46.30%
||
7 Day CHG~0.00%
Published-20 Jul, 2020 | 14:45
Updated-04 Aug, 2024 | 12:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

OpenClinic GA versions 5.09.02 and 5.89.05b may allow an attacker to bypass the system’s account lockout protection, which may allow brute force password attacks.

Action-Not Available
Vendor-openclinic_ga_projectn/a
Product-openclinic_gaOpenClinic GA
CWE ID-CWE-307
Improper Restriction of Excessive Authentication Attempts
CVE-2020-13805
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.02% / 3.99%
||
7 Day CHG~0.00%
Published-04 Jun, 2020 | 14:40
Updated-04 Aug, 2024 | 12:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in Foxit Reader and PhantomPDF before 9.7.2. It has brute-force attack mishandling because the CAS service lacks a limit on login failures.

Action-Not Available
Vendor-n/aFoxit Software Incorporated
Product-phantompdfreadern/a
CWE ID-CWE-307
Improper Restriction of Excessive Authentication Attempts
CVE-2020-13312
Matching Score-4
Assigner-GitLab Inc.
ShareView Details
Matching Score-4
Assigner-GitLab Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.11% / 29.84%
||
7 Day CHG~0.00%
Published-14 Sep, 2020 | 19:44
Updated-04 Aug, 2024 | 12:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. GitLab OAuth endpoint was vulnerable to brute-force attacks through a specific parameter.

Action-Not Available
Vendor-GitLab Inc.
Product-gitlabGitLab
CWE ID-CWE-307
Improper Restriction of Excessive Authentication Attempts
  • Previous
  • 1
  • 2
  • 3
  • 4
  • Next
Details not found