Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-accessible unauthenticated login endpoint, no complexity; C:L/I:L reflects per-account data exposure on success; A:N as the portal remains available during brute-force.
Primary rating from Vendor (CERT-PL).
CVSS VectorVendor: CERT-PL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
KTM System e-BOK does not implement any limit or timeout on consecutive login attempts, allowing an attacker to perform unlimited authentication requests. This lack of rate‑limiting enables efficient brute‑force attacks against user accounts. When combined with vulnerability CVE-2026-35097, where passwords are restricted to a six‑digit numeric format, this becomes a critical issue, as such passwords can be brute‑forced in a relatively short time.
This issue was fixed in the patch published in June 2026.
AnalysisAI
Unlimited brute-force attacks against KTM System e-BOK user accounts are enabled by the complete absence of login rate limiting, account lockout, or authentication throttling on the portal's login endpoint. All versions prior to the June 2026 patch are affected, with the risk materially amplified by companion vulnerability CVE-2026-35097, which constrains passwords to a six-digit numeric format - reducing the effective keyspace to 1,000,000 combinations and making full exhaustion feasible with standard tooling in minutes to hours. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Network access to the e-BOK login endpoint over HTTPS is required, which is the normal deployment condition for a customer-facing web portal. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 score of 6.9 (Medium) with vector AV:N/AC:L/AT:N/PR:N/UI:N reflects a low-barrier attack path requiring no authentication, no complexity, and no user interaction. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated remote attacker who knows or enumerates a valid e-BOK username scripting HTTP POST requests to the login endpoint can iterate all 1,000,000 six-digit numeric password combinations without triggering any lockout or rate-limiting response from the application. At modest request rates achievable on a standard internet connection, the full keyspace can be exhausted within minutes to hours, yielding authenticated access to the target's customer account. … |
| Remediation | Apply the patch published by KTM System in June 2026; the product page is at https://ktmsystem.pl/internetowe-biuro-obslugi-klienta/ and the CERT-PL advisory is at https://cert.pl/posts/2026/06/CVE-2026-35095/. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
KTM System e-BOK enforces a system-wide password policy that restricts all user credentials to exactly six numeric digit
CSRF flaws in KTM System e-BOK's email-change and password-change endpoints allow any remote, unauthenticated attacker t
Session fixation in KTM System e-BOK (an online customer service portal) enables an attacker to preset a session identif
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40325
GHSA-j2ff-7q97-h87p