Severity by source
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable with no auth, but AC:H for the security question prerequisite; impact is solely low availability with no confidentiality or integrity loss.
Primary rating from Vendor (CERT-PL).
CVSS VectorVendor: CERT-PL
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
MCO is vulnerable to Account Denial of Service due to improper implementation of password reset functionality. Each password reset request invalidates previously set password as well as previously issued temporary passwords, furthermore, password resets are not limited in any way. An attacker who provides victim's email and answer to their security question, can successfully initiate the reset process and continuously invalidate credentials, effectively locking the victim out of their account. Answering security questions has a limited number of tries which lowers the risk of this vulnerability.
Because vendor contact attempts were unsuccessful, the vulnerability has only been confirmed in version 25.3.3.1 but may also affect other versions.
AnalysisAI
Account denial-of-service in MyComplianceOffice MCO 25.3.3.1 enables a remote attacker to permanently lock a targeted user out of their account by repeatedly triggering password resets. MCO's reset mechanism invalidates all previously set passwords and temporary credentials on every reset cycle, and imposes no rate limit on how frequently resets can be initiated - so once an attacker supplies the victim's email and a valid security question answer, they can sustain the lockout indefinitely. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires two concrete prerequisites: the attacker must know the victim's registered email address in MCO, and must be able to correctly answer the victim's security question. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 score of 6.3 with AV:N/AC:H/PR:N captures the threat accurately: the attack is remotely executable with no prior authentication, but attack complexity is genuinely high because the adversary must independently obtain the correct answer to the victim's security question - a fixed shared secret, but not publicly enumerable. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker targeting a specific MCO user - for example, a compliance officer at a regulated financial firm - obtains the victim's email address and social-engineers or pre-knows the answer to their security question. The attacker submits repeated password reset requests via the MCO web interface; each reset silently invalidates the victim's current password and any active temporary credentials, locking the victim out instantly and re-locking them any time they recover. … |
| Remediation | No vendor-released patch has been identified at time of analysis - vendor contact attempts by CERT-PL were unsuccessful, and no advisory has been issued. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Privilege escalation in MyComplianceOffice (MCO) compliance platform version 25.3.3.1 lets an authenticated user add the
User enumeration in MyComplianceOffice (MCO) version 25.3.3.1 allows unauthenticated remote attackers to identify valid
Unrestricted file upload in MyComplianceOffice MCO version 25.3.3.1 allows an authenticated low-privileged attacker to u
MCO's compliance management platform exposes administrator ACL tree structures to any authenticated low-privileged user
Insecure Direct Object Reference in MyComplianceOffice MCO version 25.3.3.1 allows authenticated users to retrieve tradi
Path traversal and path disclosure in MyComplianceOffice MCO's file handling functionality expose authenticated high-pri
Stored XSS in MyComplianceOffice MCO version 25.3.3.1 allows a privileged attacker with logo-upload rights to plant mali
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40950
GHSA-4p9c-w7qw-q5pq