Skip to main content

CodeWise Tornet Scooter Mobile App CVE-2026-7671

LOW
Improper Restriction of Excessive Authentication Attempts (CWE-307)
2026-05-02 VulDB
2.9
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.9 LOW
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

5
PoC Detected
May 04, 2026 - 15:19 vuln.today
Public exploit code
CVSS changed
May 03, 2026 - 00:22 NVD
3.7 (LOW) 2.9 (LOW)
Analysis Generated
May 03, 2026 - 00:00 vuln.today
Analysis Generated
May 02, 2026 - 23:45 vuln.today
CVE Published
May 02, 2026 - 23:30 nvd
LOW 2.9

DescriptionCVE.org

A vulnerability has been found in CodeWise Tornet Scooter Mobile App 4.75 on iOS/Android. The impacted element is an unknown function of the file /TwoFactor. Such manipulation leads to improper restriction of excessive authentication attempts. The attack may be performed from remote. Attacks of this nature are highly complex. The exploitability is regarded as difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Improper restriction of excessive authentication attempts in CodeWise Tornet Scooter Mobile App 4.75 on iOS and Android allows remote attackers to bypass rate-limiting controls on the /TwoFactor endpoint, potentially enabling brute-force attacks against two-factor authentication mechanisms. Publicly available exploit code exists. The vendor did not respond to early disclosure notification.

Technical ContextAI

The vulnerability resides in the /TwoFactor endpoint of the mobile application, which implements two-factor authentication but fails to enforce proper rate-limiting or lockout mechanisms (CWE-307: Improper Restriction of Excessive Authentication Attempts). This weakness allows attackers to submit repeated authentication attempts without facing throttling, increased delays, account lockouts, or other protective controls that typically defend against credential enumeration and brute-force attacks. The affected product is the CodeWise Tornet Scooter Mobile App running on iOS and Android platforms, identified by CPE cpe:2.3:a:codewise:tornet_scooter_mobile_app.

RemediationAI

Upgrade to the latest patched version of CodeWise Tornet Scooter Mobile App when available from the Google Play Store (Android) or Apple App Store (iOS). Since the vendor did not respond to disclosure and no official patch version is confirmed, check both app stores for security updates. In the interim, implement application-level compensating controls: (1) Deploy server-side rate-limiting on the /TwoFactor endpoint (e.g., max 5 attempts per IP/user per 15 minutes) with exponential backoff and account temporary lockout after threshold; (2) Implement CAPTCHA or challenge-response verification after 3 failed attempts to add friction to automated attacks; (3) Monitor for anomalous authentication patterns (rapid sequential attempts) and alert administrators. User-level mitigation: enable push notification approval for two-factor authentication if the app supports it, as this adds a second verification barrier beyond OTP/SMS that rate-limiting attacks cannot directly bypass. Note: these compensating controls reduce but do not eliminate the risk - vendor patching remains the primary requirement.

Share

CVE-2026-7671 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy