What is the CVSS score of CVE-2025-5485?

CVE-2025-5485 has a CVSS 3.1 base score of 8.6 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L. EPSS exploitation probability: 0.1%.

Which versions of Brute Force are affected by CVE-2025-5485?

CVE-2025-5485 exposes web management interfaces to user enumeration attacks due to predictable device identifier-based usernames, allowing attackers to systematically discover and target your managed…

How to fix or mitigate CVE-2025-5485?

Within 24 hours: Inventory all affected devices and restrict web management interface access to trusted IP ranges via firewall rules. Within 7 days: Implement enhanced logging and monitoring for failed authentication attempts on management interfaces, and consider disabling remote management if not operationally critical. Within 30 days: Contact vendor for patch availability, implement network segmentation to isolate management interfaces, and deploy Web Application Firewall rules to rate-limit authentication attempts.

Brute Force CVE-2025-5485

EUVD-2025-18211 HIGH

Observable Response Discrepancy (CWE-204)

2025-06-12 ics-cert@hq.dhs.gov

Authentication Bypass Information Disclosure Brute Force

8.6

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

Low

Availability

Low

Lifecycle Timeline

EUVD ID Assigned

Mar 14, 2026 - 21:20 euvd

EUVD-2025-18211

Analysis Generated

Mar 14, 2026 - 21:20 vuln.today

CVE Published

Jun 12, 2025 - 20:15 nvd

HIGH 8.6

DescriptionNVD

User names used to access the web management interface are limited to the device identifier, which is a numerical identifier no more than 10 digits. A malicious actor can enumerate potential targets by incrementing or decrementing from known identifiers or through enumerating random digit sequences.

AnalysisAI

User enumeration vulnerability affecting web management interfaces where usernames are limited to device identifiers (10-digit numerical values). An unauthenticated remote attacker can enumerate valid user accounts by systematically testing digit sequences, potentially gaining information disclosure and limited system manipulation capabilities. The CVSS 8.6 rating reflects high confidentiality impact, though patch status and active exploitation details require vendor-specific assessment.

Technical ContextAI

This vulnerability is rooted in CWE-204 (Observable Discrepancy / Information Exposure Through Discrepancy), where the authentication mechanism exhibits detectable differences between valid and invalid usernames. The underlying issue stems from poor username entropy combined with weak or absent enumeration protection mechanisms (rate limiting, account lockout delays, response time analysis resistance). Devices using sequential or predictable numerical identifiers as sole authentication credentials create a trivial enumeration surface. The web management interface likely lacks protections such as: constant-time response comparisons, progressive delays on failed attempts, CAPTCHA challenges, or account lockout policies. This is compounded by the 10-digit maximum constraint (~1 billion possible values), making brute-force enumeration computationally feasible.

RemediationAI

Immediate remediation steps: (1) Contact vendor for patches addressing enumeration protection; (2) Apply vendor-supplied firmware updates when available—specifics depend on device manufacturer; (3) Interim mitigations: restrict management interface access via firewall rules limiting source IP ranges, implement WAF/IDS rules detecting sequential authentication attempts, enforce rate limiting on login endpoints, implement account lockout after failed attempts; (4) Administrative controls: disable default/predictable device identifiers where possible, require strong supplementary authentication (MFA), monitor authentication logs for enumeration patterns; (5) Architectural: network segmentation isolating management interfaces to trusted administrative networks. Vendors should implement enumeration defenses: constant-time username validation, progressive delays, CAPTCHAs, and consider randomized or longer usernames.

CVE-2025-5485 vulnerability details – vuln.today

Back