Skip to main content

TEİAŞ Mobile Application CVE-2026-1816

| EUVDEUVD-2026-31288 MEDIUM
Improper Restriction of Excessive Authentication Attempts (CWE-307)
2026-05-21 TR-CERT GHSA-rhjf-qfgh-pmw6
6.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.3 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
May 21, 2026 - 15:31 vuln.today
Patch available
May 21, 2026 - 15:01 EUVD

DescriptionCVE.org

Improper restriction of excessive authentication attempts vulnerability in Turkiye Electricity Transmission Corporation (TEİAŞ) Mobile Application allows Brute Force.

This issue affects Mobile Application: from 1.6.2 before 1.13.

AnalysisAI

Brute force exploitation of the Turkiye Electricity Transmission Corporation (TEİAŞ) Mobile Application (versions 1.6.2 through before 1.13) is enabled by the complete absence of rate limiting or lockout controls on authentication attempts (CWE-307), allowing a network-accessible attacker to systematically enumerate user credentials. Successful exploitation results in high confidentiality impact - consistent with the 'Information Disclosure' tag and C:H CVSS metric - meaning account contents and potentially sensitive utility-related user data can be exposed. No public exploit code has been identified at time of analysis and the vulnerability is not listed in CISA KEV; however, a vendor-released patch is available and upgrade to version 1.13 is the indicated remediation.

Technical ContextAI

The affected product is the TEİAŞ Mobile Application, a consumer-facing utility application operated by Turkey's national electricity transmission authority, identified by CPE cpe:2.3:a:turkiye_electricity_transmission_corporation_(tei̇aş):mobile_application:*:*:*:*:*:*:*:*. The root cause maps to CWE-307 (Improper Restriction of Excessive Authentication Attempts), a well-understood authentication control failure in which the application's login interface imposes no meaningful throttle on failed credential submissions - no CAPTCHA, no temporary lockout, and no IP-based rate limiting. This permits automated tooling to iteratively test large password lists against a target account without triggering any defensive response from the application. The vulnerability resides in the authentication layer of a mobile application serving critical infrastructure users, which elevates the sensitivity of any data exposed upon account compromise.

RemediationAI

The primary remediation is to upgrade the TEİAŞ Mobile Application to version 1.13 or later, as a vendor-released patch is confirmed available per TR-CERT advisory TR-26-0286 (https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0286) and EUVD-2026-31288. The exact patch release notes and distribution mechanism should be confirmed via the official advisory, as the precise patched build version beyond the '1.13' threshold is not independently verified in the available data. As interim server-side compensating controls prior to patching, the application backend should enforce authentication rate limiting (e.g., temporary IP-block or exponential back-off after a defined number of failed attempts per account or source IP) and account lockout thresholds - note that lockout policies introduce a secondary risk of account-based denial-of-service if lockout thresholds are set too aggressively, so tuning is required. Users should additionally be advised to use strong, unique passwords for their TEİAŞ application accounts to reduce the probability that brute force attempts succeed even during the window before patching.

Share

CVE-2026-1816 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy