LogicalDOC Community Edition
CVE-2025-12547
LOW
Severity by source
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability was identified in LogicalDOC Community Edition up to 9.2.1. This vulnerability affects unknown code of the file /login.jsp of the component Admin Login Page. Such manipulation leads to improper restriction of excessive authentication attempts. The attack can be executed remotely. This attack is characterized by high complexity. It is stated that the exploitability is difficult. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
LogicalDOC Community Edition up to 9.2.1 fails to implement rate limiting on the admin login page (/login.jsp), allowing remote attackers to conduct brute-force authentication attacks with high complexity but difficult exploitability. Publicly available exploit code exists, though the vendor has not responded to early disclosure notification, and real-world exploitation risk remains low given the EPSS score of 0.16% and high attack complexity.
Technical ContextAI
The vulnerability resides in the admin login page component (/login.jsp) of LogicalDOC Community Edition, a document management system. The root cause is improper restriction of excessive authentication attempts, classified under CWE-307 (Improper Restriction of Excessive Authentication Attempts). The lack of rate limiting or account lockout mechanisms on the login endpoint permits attackers to submit multiple authentication attempts without throttling, enabling brute-force attacks against administrative credentials. The CVSSv4.0 vector indicates network-accessible attack surface (AV:N) but high attack complexity (AC:H), suggesting the exploit requires non-trivial conditions such as specific timing, multiple attempts, or bypass of existing but weak controls. The attack autonomy threshold (AT:N) confirms no user interaction is required beyond sending malicious requests.
RemediationAI
Upgrade LogicalDOC Community Edition to a version after 9.2.1 if available; however, vendor responsiveness to this disclosure is uncertain, and patch availability has not been confirmed. As an immediate compensating control, implement network-level rate limiting on the /login.jsp endpoint using a reverse proxy (nginx, Apache) or Web Application Firewall to restrict login attempts to a reasonable threshold (e.g., 5 attempts per minute per IP address, with temporary IP blocks after 10 failed attempts). Additionally, enforce strong administrative password policies and monitor login logs for unusual patterns or brute-force attempts. If the vendor releases a patched version, apply it immediately. Organizations unable to upgrade should restrict access to the admin login page to known administrative IP ranges using firewall rules or VPN-only access, accepting the trade-off of reduced administrative accessibility for improved security.
Share
External POC / Exploit Code
Leaving vuln.today