Severity by source
AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
Improper restriction of excessive authentication attempts vulnerability in Turkiye Electricity Transmission Corporation (TEİAŞ) Mobile Application allows Brute Force.
This issue affects Mobile Application: from 1.6.2 before 1.13.
AnalysisAI
Brute force exploitation of the Turkiye Electricity Transmission Corporation (TEİAŞ) Mobile Application (versions 1.6.2 through before 1.13) is enabled by the complete absence of rate limiting or lockout controls on authentication attempts (CWE-307), allowing a network-accessible attacker to systematically enumerate user credentials. Successful exploitation results in high confidentiality impact - consistent with the 'Information Disclosure' tag and C:H CVSS metric - meaning account contents and potentially sensitive utility-related user data can be exposed. No public exploit code has been identified at time of analysis and the vulnerability is not listed in CISA KEV; however, a vendor-released patch is available and upgrade to version 1.13 is the indicated remediation.
Technical ContextAI
The affected product is the TEİAŞ Mobile Application, a consumer-facing utility application operated by Turkey's national electricity transmission authority, identified by CPE cpe:2.3:a:turkiye_electricity_transmission_corporation_(tei̇aş):mobile_application:*:*:*:*:*:*:*:*. The root cause maps to CWE-307 (Improper Restriction of Excessive Authentication Attempts), a well-understood authentication control failure in which the application's login interface imposes no meaningful throttle on failed credential submissions - no CAPTCHA, no temporary lockout, and no IP-based rate limiting. This permits automated tooling to iteratively test large password lists against a target account without triggering any defensive response from the application. The vulnerability resides in the authentication layer of a mobile application serving critical infrastructure users, which elevates the sensitivity of any data exposed upon account compromise.
RemediationAI
The primary remediation is to upgrade the TEİAŞ Mobile Application to version 1.13 or later, as a vendor-released patch is confirmed available per TR-CERT advisory TR-26-0286 (https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0286) and EUVD-2026-31288. The exact patch release notes and distribution mechanism should be confirmed via the official advisory, as the precise patched build version beyond the '1.13' threshold is not independently verified in the available data. As interim server-side compensating controls prior to patching, the application backend should enforce authentication rate limiting (e.g., temporary IP-block or exponential back-off after a defined number of failed attempts per account or source IP) and account lockout thresholds - note that lockout policies introduce a secondary risk of account-based denial-of-service if lockout thresholds are set too aggressively, so tuning is required. Users should additionally be advised to use strong, unique passwords for their TEİAŞ application accounts to reduce the probability that brute force attempts succeed even during the window before patching.
More in Mobile Application
View allHardcoded storage credentials in Gardyn mobile application and device firmware grant unauthenticated remote attackers ac
Insufficient session expiration in the Turkiye Electricity Transmission Corporation (TEİAŞ) Mobile Application versions
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31288
GHSA-rhjf-qfgh-pmw6