CVE-2025-9551

MEDIUM
2025-10-10 [email protected]
6.5
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
Low

Lifecycle Timeline

3
Analysis Generated
Mar 26, 2026 - 22:22 vuln.today
Patch Released
Mar 26, 2026 - 22:22 nvd
Patch available
CVE Published
Oct 10, 2025 - 23:15 nvd
MEDIUM 6.5

Tags

Drupal PHP Brute Force Protected Pages

Description

Improper Restriction of Excessive Authentication Attempts vulnerability in Drupal Protected Pages allows Brute Force.This issue affects Protected Pages: from 0.0.0 before 1.8.0, from 7.X-1.0 before 7.X-2.5.

Analysis

Drupal Protected Pages module fails to implement rate limiting on authentication attempts, enabling unauthenticated attackers to conduct brute force attacks against password-protected content. Affected versions include Protected Pages 0.0.0 through 1.7.x and 7.x-1.0 through 7.x-2.4. The vulnerability permits attackers to enumerate valid credentials and bypass access controls through repeated login submissions without detection or throttling mechanisms. No public exploit code or active exploitation has been confirmed; EPSS scoring of 0.05% (15th percentile) indicates low real-world exploitation likelihood despite the moderate CVSS score of 6.5.

Technical Context

The Protected Pages module for Drupal (CPE: cpe:2.3:a:protected_pages_project:protected_pages:*:*:*:*:*:drupal:*:*) provides functionality to restrict access to specific pages via password authentication. The vulnerability stems from CWE-307 (Improper Restriction of Excessive Authentication Attempts), a weakness in the authentication mechanism that fails to implement exponential backoff, account lockouts, CAPTCHA challenges, or IP-based rate limiting on failed login attempts. This allows attackers to submit unlimited authentication requests without temporal delays or behavioral detection, making brute force attacks computationally feasible. The flaw affects both Drupal 7.x and Drupal 8+ codebases of the module.

Affected Products

Drupal Protected Pages module is affected across two version families: versions 0.0.0 through 1.7.x (pre-release and early stable releases) and Drupal 7.x versions 7.x-1.0 through 7.x-2.4. The module is identified via CPE cpe:2.3:a:protected_pages_project:protected_pages:*:*:*:*:*:drupal:*:*. A patch has been released by the Drupal Security Team; refer to the official advisory at https://www.drupal.org/sa-contrib-2025-101 for exact patched versions and additional details. The vulnerability was reported by [email protected] and cross-referenced in Drupal security advisory SA-CONTRIB-2025-101.

Remediation

Upgrade Protected Pages to version 1.8.0 or later for the 0.x/1.x branch, and 7.x-2.5 or later for the Drupal 7.x branch, as specified in the vendor advisory at https://www.drupal.org/sa-contrib-2025-101. If immediate patching is not feasible, implement external rate limiting via a reverse proxy (Apache mod_evasive, Nginx limit_req, or AWS WAF) to restrict authentication requests to 3-5 per minute per IP address, combined with temporary IP blocks after 10 failed attempts within 15 minutes. Additionally, consider requiring HTTPS-only connections and deploy a Web Application Firewall (WAF) rule to detect automated login enumeration patterns (e.g., rapid sequential requests to /protected-pages/login). Verify patched versions via the HeroDevs release notes at https://docs.herodevs.com/drupal/release-notes/protected-pages.

Priority Score

33
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +32
POC: 0

Share

CVE-2025-9551 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy