CodeWise Tornet Scooter Mobile App CVE-2026-7671
LOWSeverity by source
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5DescriptionCVE.org
A vulnerability has been found in CodeWise Tornet Scooter Mobile App 4.75 on iOS/Android. The impacted element is an unknown function of the file /TwoFactor. Such manipulation leads to improper restriction of excessive authentication attempts. The attack may be performed from remote. Attacks of this nature are highly complex. The exploitability is regarded as difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
Improper restriction of excessive authentication attempts in CodeWise Tornet Scooter Mobile App 4.75 on iOS and Android allows remote attackers to bypass rate-limiting controls on the /TwoFactor endpoint, potentially enabling brute-force attacks against two-factor authentication mechanisms. Publicly available exploit code exists. The vendor did not respond to early disclosure notification.
Technical ContextAI
The vulnerability resides in the /TwoFactor endpoint of the mobile application, which implements two-factor authentication but fails to enforce proper rate-limiting or lockout mechanisms (CWE-307: Improper Restriction of Excessive Authentication Attempts). This weakness allows attackers to submit repeated authentication attempts without facing throttling, increased delays, account lockouts, or other protective controls that typically defend against credential enumeration and brute-force attacks. The affected product is the CodeWise Tornet Scooter Mobile App running on iOS and Android platforms, identified by CPE cpe:2.3:a:codewise:tornet_scooter_mobile_app.
RemediationAI
Upgrade to the latest patched version of CodeWise Tornet Scooter Mobile App when available from the Google Play Store (Android) or Apple App Store (iOS). Since the vendor did not respond to disclosure and no official patch version is confirmed, check both app stores for security updates. In the interim, implement application-level compensating controls: (1) Deploy server-side rate-limiting on the /TwoFactor endpoint (e.g., max 5 attempts per IP/user per 15 minutes) with exponential backoff and account temporary lockout after threshold; (2) Implement CAPTCHA or challenge-response verification after 3 failed attempts to add friction to automated attacks; (3) Monitor for anomalous authentication patterns (rapid sequential attempts) and alert administrators. User-level mitigation: enable push notification approval for two-factor authentication if the app supports it, as this adds a second verification barrier beyond OTP/SMS that rate-limiting attacks cannot directly bypass. Note: these compensating controls reduce but do not eliminate the risk - vendor patching remains the primary requirement.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today